Language selection

Search

Privacy and Portable Storage Devices

December 2015


 

ABORIGINAL AFFAIRS AND NORTHERN DEVELOPMENT CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Aboriginal Affairs and Northern Development Canada (AANDC) has established a mechanism that captures the issuance of laptops.

The issuance of some, but not all, tablets and USB storage devices (portable hard drives and memory sticks) is recorded. CDs and DVDs are not registered.

Shared Services Canada is responsible for tracking the issuance of smart phones

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

As per the AANDC Portable Storage Devices Standard section 6.7, all portable storage devices will be identified and tracked. The CIO will execute portable storage device audits in order to monitor compliance with this Standard. The CIO will develop, implement and assign responsibility for an IT Security Audit methodology, including mechanisms for auditing portable storage devices.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

AANDC has implemented a decentralized disposal process. Regional offices are responsible for managing the disposal of their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

AANDC uses certified wiping software to sanitize surplus laptops prior to their disposal. The software generates documentary evidence (verification report) confirming that a hard drive has been securely wiped.

None of the sites visited retained copies of the verification reports.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

As per the AANDC Portable Storage Devices Standard section 6.8, all portable storage devices will be cleared and disposed of. The CIO will execute portable storage device audits in order to monitor compliance with this Standard. The CIO will develop, implement and assign responsibility for an IT Security Audit methodology, including mechanisms for auditing portable storage devices.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

AANDC has formally assessed the risks surrounding the use of portable storage devices. However, the risk analysis did not cover the absence of technical controls to address:

  • the use of unauthorized USB storage devices; and
  • the use of CDs and DVDs to store data.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk of personal information resulting from

  • the lack of controls on connection of unauthorized USB storage devices,
  • the use of CDs and DVDS to store data,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

AANDC will assess the risk to personal information resulting from the use of portable storage devices specifically USBs, CDs and DVDs. Any significant risk identified will be mitigated to reduce it to an acceptable level. AANDC Senior Management will be engaged throughout this exercise to be able to make an informed decision.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

AANDC has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices including:

  • forced encryption on laptops; and
  • strong password parameters on laptops.

However, not all of AANDC-issued USB portable storage devices are encrypted.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

As per the AANDC Portable Storage Devices Standard section 6.2, all portable storage devices are required to have encryption enabled, unless an exemption has been granted and the risk has been accepted. The CIO will execute portable storage device audits in order to monitor compliance with this Standard. The CIO will develop, implement and assign responsibility for an IT Security Audit methodology, including mechanisms for auditing portable storage devices.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

AANDC's Portable Storage Device Protection and Disposal Standard governs the use and management of portable storage devices (PSDs). The Standard addresses all types of PSDs, and responsibility for safeguarding IT assets and information, the types of information that may be stored on devices and the requirement to report the loss or theft of devices. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

AANDC has a policy in place to govern the use of portable storage devices. The policy is consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

AANDC has implemented mandatory security awareness training for all employees, including contract personnel. The training covers safeguarding portable storage devices (PSDs) and the information contained on them, as well as reporting the loss or theft of devices. The use of privately-owned devices for work-related purposes is addressed in other awareness material.

The training is supplemented by PSD user agreements. The agreements remind employees of their responsibility to comply with the Portable Storage Device Protection and Disposal Standard, ensure devices are labelled and stored securely, and immediately report the loss or theft of devices.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

The mandatory security awareness training program in place addresses the acceptable uses of, and the risks surrounding, portable storage devices. Accordingly, no recommendation is required.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosure of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established in AANDC's Security Management Framework and is also embedded in its Portable Storage Device Protection and Disposal Standard.

If a security incident results in a privacy violation, the Department's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


AGRICULTURE AND AGRI-FOOD CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Agriculture and Agri-Food Canada (AAFC or the Department) has established a mechanism that captures the issuance of laptops and tablets.

The issuance of USB storage devices (memory sticks and portable hard drives), CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

AAFC accepts the recommendation.

AAFC will update the IT Security Policy to state that personal information must not be stored on PSDs. Any exceptions to the policy will follow the current PSD process which includes registration and tracking of the devices.

Approved target date (MRPA): December 31, 2015.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Department has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal disposal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Although no weaknesses were noted with existing disposal procedures, some regional sites are stockpiling surplus USB storage devices, CDs and DVDs and they were unaware of the established procedures for the disposal of such devices.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Ensure that employees are aware of established departmental procedures for the secure disposal of surplus USBs, CDs and DVDs.

Management Response:

AAFC accepts the recommendation.

AAFC will send a bi-annual reminder on news@ work (internal news service) to all employees regarding the proper procedures to dispose of surplus USBs, CDs and DVDs securely.

Approved target date (MRPA): August 27, 2015.

Observations:

AAFC uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

AAFC accepts the recommendation.

Through the approved disposal process, AAFC ISB (IT Client Services) will ensure that proper cleansing documentation is generated to provide to AAFC CMB prior to disposal.

AAFC will develop a database to track the disposal certificates and maintain a file registry for any documentary evidence provided (such as confirmation reports).

Approved target date (MRPA): August 28, 2015.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although a number of controls have been implemented as part of AAFC's overall IT security posture, the Department has not formally assessed the risks surrounding the use of portable storage devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on tablets,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

AAFC accepts the recommendation.

AAFC will develop a privacy risk assessment on the use of the portable devices and more specifically the use of unauthorized USB storage devices, the use of CDs and DVDs, and the use of tablets.

Approved target date (MRPA): December 31, 2015.

AAFC will implement additional safeguards, as appropriate, if the current encryption is deemed insufficient.

Approved target date (MRPA): March 31, 2016.

Recommendation:

Review the use of tablets—insofar as the type of data that may be stored on the devices—and enhance protections if default hardware encryption is deemed insufficient.

Management Response:

AAFC accepts the recommendation.

AAFC will review the use of tablets and implement additional safeguards, as appropriate, if the current encryption is deemed insufficient.

Approved target date (MRPA): March 31, 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Department has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented on some laptops and USB storage devices;
  • Anti-virus protection is deployed on laptops;
  • Local administrative rights are restricted on laptops, preventing users from installing unauthorized applications; and
  • Laptops and tablets have sound password parameters.

Encryption has been implemented on tablets. However, as reflected above, it has not been implemented or enforced on all laptops and USBs storage devices.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

AAFC accepts the recommendation.

AAFC will deploy encrypted PSDs if they are required to store personal information, based on the AAFC Exception process.

Approved target date (MRPA): March 31, 2016.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

AAFC has implemented a number of policies and directives that collectively form its framework for managing portable storage devices (PSDs). The Department's Information Technology Security Policy and Standard on Physical Security are core governance instruments in this regard.

When examined collectively, existing instruments address responsibility for safeguarding IT assets and information, the type of information that may be stored on PSDs and the requirement to report the loss or theft of a device.

The Department's IT Security Policy refers to technology assets, optical media and "electronic storage devices", such as laptops, PDAs and cell phones. To ensure employees are well informed, there would be merit in expanding the definition of technology assets to explicitly include USB storage devices (memory sticks and portable hard drives).

The use of privately-owned PSDs is not addressed in existing policies or directives.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Ensure that policies governing the use of portable storage devices address all types of devices, including privately-owned devices used for work-related purposes.

Management Response:

AAFC accepts the recommendation.

AAFC will update the IT Security Policy to state that personal information must not be stored on PSDs. Any exceptions to the policy will follow the current PSD process which includes registration and tracking of the devices.

Approved target date (MRPA): March 31, 2016.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

AAFC has implemented mandatory security awareness training for all employees, including contract personnel. The training includes a specific module dedicated to portable storage devices (PSDs). The module addresses safeguarding assets and information, the type of data that can be stored on devices, as well as the requirement to report the loss or theft of a device. The training is supplemented by other resources, including web-based training and a USB Device User Agreement.

As reported in the preceding section, existing policies and directives are silent on the use of privately-owned PSDs for work-related purposes. The privacy risks surrounding privately-owned devices underscores the importance of ensuring employees are aware of the policy governing their use.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the Department's policy regarding the use of privately-owned portable storage devices for work-related purposes.

Management Response:

AAFC accepts the recommendation.

AAFC will develop a communications plan to promote the new IT Security Policy.

Approved target date (MRPA): March 31, 2016.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under AAFC's IT Security Policy, Standard on Physical Security and Directive on Security Management. The reporting requirement is also established in the Department's Privacy Breach Policy.

If a security incident results in a privacy violation, AAFC's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


BANK OF CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Bank of Canada (the Bank) has established a mechanism that captures the issuance of laptops, tablets, USB storage devices (memory sticks and portable hard drives) and smart phones.

The Bank reported that it does not issue CDs and DVDs to store personal information.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

A mechanism is in place to track the issuance of portable storage devices that may be used to retain personal information; therefore, no recommendation is required.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Bank has implemented a centralized process for the disposal of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment at the Bank's head office.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, the Bank has implemented a centralized disposal process. The potential risks have been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

The Bank has assessed the risks surrounding the shipment of surplus and defective portable storage devices from various locations to Ottawa for disposal. Accordingly, no recommendation is required.

Observations:

The Bank uses certified wiping software to sanitize surplus laptops prior to their disposal. The software generates documentary evidence (verification report) confirming that a hard drive has been securely wiped. These reports are retained on file.

In addition, the Bank obtains certificates of destruction for devices that are disposed of by a third party service provider.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

The Bank retains documentary evidence—confirmation report generated by the cleansing software and/or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner. Accordingly, no recommendation is required.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

The Bank has formally assessed the risks surrounding the use of the portable storage devices, including:

  • the connection of unauthorized USB storage devices; and
  • the use of optical discs (CDs/DVDs) to store data.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

The Bank has assessed the security and privacy risks surrounding the use of portable storage devices; therefore, no recommendation is required.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Bank has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented and enforced on laptops, tablets and USB storage devices;
  • Anti-virus protection has been deployed on laptops and tablets;
  • Local administrative rights are restricted on laptops, tablets and smartphones, preventing the installation of unauthorized applications; and
  • Laptops and tablets have sound password parameters.

As reported in the preceding section (Risk Assessment), the Bank has assessed the risks surrounding the connection of unauthorized USB storage devices, as well as the use of optical discs to store personal information. At the time the audit concluded, measures to address identified gaps had not been implemented.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

Implement controls to address any identified risks to personal information resulting from:

  • the connection of unauthorized USB storage devices; and
  • the use of CDs/DVDs to store data.

Management Response:

To address the recommendation, the Bank will begin monitoring all portable storage device usage, including USB storage devices and CDs /DVDs, in early August 2015. This usage will be validated against identified business processes that require a storage solution other than the recently deployed encrypted USB storage devices, and exceptions will be investigated. Additional controls, including blocking and/or enhanced monitoring as required, will be operational by November 2015.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Bank has implemented a number of policies and standards that collectively form its framework for managing portable storage devices (PSDs). The Policy on Use of Bank Information and Communication Technologies, Operational Standard: Security Program, and Operational Standard: IT Security are key governance instruments in this regard.

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding IT assets and information, the type of information that may be stored on PSDs and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Bank has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

The Bank has implemented mandatory security awareness training for all employees.

The training includes a module dedicated to the Policy on Use of Bank Information and Communication Technologies. It addresses the obligation to safeguard information and label records according to their sensitivity, the use of privately-owned devices and the requirement to report security incidents involving the loss or theft of corporate assets.

The mandatory training is supplemented by other resources that are available on the Bank's intranet site (e.g. security bulletins) and user agreements for certain types of portable storage devices.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Security awareness training initiatives address the acceptable uses of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices. Accordingly, no recommendation is required.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Bank's Operational Standard: Security Program.

If a security incident results in a privacy violation, the Bank's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


BUSINESS DEVELOPMENT BANK OF CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Business Development Bank of Canada (BDC or the Bank) has established a mechanism that captures the issuance of laptops, tablets and mobile phones. In addition, all authorized privately-owned devices (iPads and iPhones) permitted for work-related purposes are also recorded.

The issuance of portable hard drives, CDs and DVDs is not recorded. Moreover, the data captured in the registry of USBs (memory sticks) is limited to recipient name only; the registry does not track devices by unique identification numbers.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

As per our corporate directive, all records used to conduct BDC business are processed and stored in corporate application systems, which include records containing personal information. Therefore, there is no business need to support the storage of personal information in any other locations.

BDC will assess if there is a need for employees to store personal information in portable storage devices. If there is valid business justification to do so, BDC will implement a process and tool to support the recommendation.

In the interim, BDC will communicate to all employees and reinforce that they are not to replicate nor store personal information records out of the approved application systems.

Implementation target date: Q4 F16.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Bank has implemented a centralized process for the disposal of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment at the Bank's head office.

The Bank has established a disposal guide to assist staff involved in the disposal process. The guide addresses all types of PSDs and outlines appropriate disposal techniques. Although this provides a framework for disposing of IT equipment, the guide is not considered a formalized process or policy. Consequently, there is no standardized disposal process that BDC employees are required to follow.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Establish a formalized process to ensure that personal information residing on portable storage devices is disposed of in a consistent, secure manner.

Management Response:

The Bank agrees with the recommendation and has started the development and will implement a formal process to address the secure disposal of equipment, including portable storage devices. Once approved, the process will be communicated to all employees.

Implementation target date: Q1 F17.

Observations:

As reported above, the Bank has established a centralized process for managing the disposal of portable storage devices. Surplus IT assets are shipped to the Bank's head office without being sanitized (cleansed). The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

As recommended, we will assess the risks associated with the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office). Based on the assessment's results, BDC will ensure that appropriate controls are in place to mitigate the risk of a data exposure.

Note: As a current mitigation measure, all portable computer devices, BlackBerry and authorised USB keys provided by BDC are encrypted.

Implementation target date: Q1 F17.

Observations:

All surplus and defective portable storage devices are disposed of on-site (BDC head office) by a third party service provider. Although the hard drives are not sanitized prior to destruction, the process is carried out under the care and constant supervision of a BDC representative. Moreover, the destruction is video recorded.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

The destruction of surplus and defective portable storage devices is observed by a bank representative and the process is video recorded; therefore, no recommendation is required.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

With the exception of optical discs (CDs and DVDs), the Bank has formally assessed the risks surrounding the use of portable storage devices. However, the risk analysis did not cover the absence of technical controls to address:

  • the connection of unauthorized USB storage devices;
  • the ability to download and run unauthorized applications on smart phones and tablets managed with BES 10; and
  • use of unencrypted media cards on BlackBerry devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on BlackBerry and privately—owned devices,
  • the use of unencrypted media cards on BlackBerry devices,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

As recommended, we will perform an in-depth assessment of possible risks associated with the exposure of personal information resulting from:

  • lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on BlackBerry and privately-owned devices, and
  • the use of unencrypted media cards on BlackBerry devices.

The results of this assessment will identify necessary initiatives or projects for approval, prioritization and implementation in order to deploy the necessary controls.

Implementation target date: Q2 F17.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Bank has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented on BDC-issued laptops, tablets and USB storage devices;
  • Anti-virus protection is deployed on laptops;
  • Local administrative rights are restricted on laptops, preventing users from installing unauthorized applications; and
  • Laptops, tablets and USB storage devices have sound password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Bank has implemented a number of policies and directives that collectively form its framework for managing portable storage devices (PSDs). The Bank's Use of Technology and User Access Corporate Directives, as well as the Physical Security Safety and Emergency Policy, are core governance instruments in this regard.

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding devices and the type of information that may be stored on them. The use of privately-owned devices is also addressed.

While the requirement to report the loss or theft of IT assets with a monetary value of $200 or more is established in policy, employees are not obligated to report the loss or theft of devices below this monetary threshold (e.g. most USB storage devices, CDs and DVDs).

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Ensure that governing policies include the requirement to report the loss or theft of any portable storage device that may contain personal information.

Management Response:

We agree with the recommendation and will include, in the next update of the mentioned governing policies and directives, a formal obligation that employees report the loss or theft of any portable device that contains personal information.

Implementation target date: Q2 F17.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

The Bank has implemented mandatory security awareness training for all employees, including contract personnel. The training addresses employees' obligation to safeguard assets and information, prescribes the type of information that can be stored on portable storage devices and the requirement to report the loss or theft of corporate IT assets. The use of privately-owned devices is also addressed.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Security awareness training initiatives address the acceptable uses of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices. Accordingly, no recommendation is required.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device with a monetary value of two hundred dollars or more.

The requirement to report security incidents is established under the Bank's Physical Security Safety and Emergency Policy.

If a security incident results in a privacy violation, the Bank's privacy breach protocol would be triggered. Key elements of the process are breach containment, evaluation (impact), notification and prevention.

As reported previously, there is no requirement to report the loss or theft of IT assets with a monetary value of less than two hundred dollars. This would include most USB storage devices, as well as optical discs (CDs/DVDs).

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Ensure that the loss or theft of any portable storage device that may contain personal information—regardless of its monetary value—is investigated and where warranted, the privacy breach process applied.

Management Response:

The Bank agrees with the recommendation.

Applicable policies, directives and processes will be revised to include a requirement that employees report the loss or theft of any portable storage device that may contain personal information, regardless of its monetary value.

The process will ensure that all cases involving the loss or theft of a device will be investigated and where necessary, trigger the privacy breach process.

Implementation target date: Q2 F17.

 


CANADA BORDER SERVICES AGENCY

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Canada Border Services Agency (CBSA or the Agency) has established a mechanism that captures the issuance of laptops and tablets.

Some, but not all, USB storage devices (memory sticks and portable hard drives) are registered.

The issuance of CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

Agreed.

The Canada Border Services Agency will ensure that the issuance of all portable storage devices are inventoried, tracked, and labelled accordingly.

Completion date: July 2016.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices

Observations:

The Agency has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

The Agency uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

Agreed.

The Canada Border Services Agency will retain documentary evidence — either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction — as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Completion date: December 2015.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

With the exception of optical discs (CDs and DVDs), the risks surrounding the use of portable storage devices have been formally assessed.

The assessment was undertaken by the Canada Revenue Agency, which manages the legacy IT infrastructure that was in place when the revenue and customs/excise mandates fell under the same entity, the Canada Customs and Revenue Agency (CCRA). CBSA's network resides on the legacy CCRA IT platform.

Although there is no evidence to suggest the existing control framework is lacking, the CBSA has not independently assessed portable storage device usage—and the deployment of IT security controls—within the context of its own programs and environment.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from the use of CDs/DVDs to store data, and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

Agreed.

The Canada Border Services Agency will assess the security risk associated with the use of CDs/DVDs, as well as the business impact of removing this feature.

Completion date: October 2016.

Recommendation:

Assess the use of, and controls on, portable storage devices within the context of the Agency's own programs and environment, and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

Agreed.

The Canada Border Services Agency will assess the use of, and controls on, portable storage devices within CBSA, and implement appropriate controls to address identified gaps and weaknesses.

Completion date: December 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Agency has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented and enforced on laptops, tablets and USB storage devices;
  • Anti-virus protection is deployed on laptops and tablets;
  • Local administrative rights are restricted on laptops and tablets, preventing users from installing unauthorized applications; and
  • Laptops and tablets have sound password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Agency has implemented a number of policies, standards and guidelines that collectively form its framework for managing portable storage devices (PSDs). The Policy on the Use of Electronic Resources, Policy on the Security of the Computing Environment, Directive on the Use of Wireless Technology and Information Security Policy are core governance instruments in this regard.

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding IT assets and information, the type of information that may be stored on PSDs and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanisms through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Agency has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

A mandatory employee security awareness program is in place. The on-line presentation addresses the obligation to safeguard information and assets, the requirement to label information stored on removable media and report the loss or theft of any corporate asset. The presentation also provides a list of resources, including policies related to the use of portable storage devices (PSDs).

The training is supplemented by other resources, such a security bulletin which addresses the use of USB keys and other removable devices.

One element absent in the mandatory training deck presentation is the Agency's policy regarding the use of privately-owned PSDs for work-related purposes. The privacy risks surrounding privately-owned devices underscores the importance of ensuring employees are aware of the policies governing their use.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the Agency's policy regarding the use of privately-owned portable storage devices for work-related purposes.

Management Response:

Agreed.

The Canada Border Services Agency will ensure that all employees, including contract personnel, are aware of the Agency's policy regarding the use of privately-owned portable devices for work-related purposes.

Completion date: July 2016.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Agency's Security Policy.

If a security incident results in a privacy violation, the Agency's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


CANADA DEPOSIT INSURANCE CORPORATION

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Canada Deposit Insurance Corporation (CDIC or the Corporation) has established a mechanism that captures the issuance of laptops, tablets and smart phones.

A mechanism is also in place for identifying users of privately-owned portable storage devices (iPads and iPhones) for work-related purposes.

There is no formal registry for USBs (memory sticks), and the issuance of CDs and DVDs is not recorded. The Corporation reported that portable hard drives are not issued to staff.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

Management accepts this recommendation.

CDIC will enhance existing mechanisms to ensure that all portable storage devices that may contain personal information, including USB storage devices, are registered and tracked throughout their life cycle.

This work will be completed by March 31, 2016.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Corporation has implemented a centralized process for the disposal of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment at the Corporation's head office.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, CDIC has implemented a centralized disposal process. Specifically, the Corporation's regional office forwards surplus and defective devices to head office for sanitization and/or disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

Management accepts this recommendation.

CDIC will assess its existing disposal processes to ensure that additional controls are in place to mitigate any potential risk of a data exposure associated with the shipment of non-sanitized devices.

This work will be completed by March 31, 2016.

Observations:

CDIC re-images surplus laptops prior to selling the devices to staff. If not sold to staff, the devices, as well as surplus CDs/DVDs, are destroyed by a third party service provider. Certificates of destruction are obtained.

The re-imaging process deployed is not considered a secure method for purging data residing on hard drives.

The use of certified software for sanitization purposes provides a high level of assurance that data has been purged. In addition, such software generates a confirmation report. This provides an organization with the ability to demonstrate that it has exercised due diligence in ensuring a full, secure wipe has been performed.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

Management accepts this recommendation.

CDIC will enhance its existing processes in order to retain documentary evidence as verification that data on surplus or defective portable storage devices has been destroyed in a secure manner.

This work will be completed by March 31, 2016.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

With the exception of optical discs (CDs and DVDs), the Corporation has formally assessed the risks surrounding the use of the portable storage devices. However, the risk analysis did not cover the absence of technical controls to address:

  • the connection of unauthorized USB storage devices; and
  • the ability to download and run unauthorized applications on laptops and tablets.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on laptops and tablets,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

Management accepts this recommendation.

CDIC has begun to assess any risks to personal information associated with the use of unauthorized USB storage devices, the use of CDs/DVDs to store data, the ability to download and run unauthorized applications on laptops and tablets. CDIC has started to implement a number of controls in order to address the gaps and weaknesses identified by the OPC.

This work will be completed by March 31, 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Corporation has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption is deployed on some laptops and USB storage devices (i.e. those used for compliance examinations);
  • Encryption is implemented on smart phones;
  • Anti-virus protection is deployed on laptops;
  • Laptops have sound password parameters; and
  • Local administrative rights are restricted on smart phones, preventing users from installing unauthorized applications.

However, encryption has not been implemented on all laptops. In addition, tablets and smart phones have weak password parameters, including privately-owned devices that are permitted for work-related purposes.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

Management accepts this recommendation.

CDIC will enhance its current processes in order to ensure that encryption is deployed on all portable storage devices that may contain personal information.

This work will be completed by March 31, 2016.

Recommendation:

Strengthen password parameters on tablets and smart phones, both CDIC-issued devices and privately-owned devices permitted for work-related purposes.

Management Response:

Management accepts this recommendation.

CDIC will strengthen its existing password parameters on tablets and smart phones, both CDIC-issued devices and privately-owned devices permitted for work-related purposes.

This work will be completed by March 31, 2016.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Corporation has implemented a number of policies that collectively form its framework for managing portable storage devices (PSDs). The Acceptable Use Policy for IT Resources, IT Security Policy and Information Security Policy are core governance instruments in this regard.

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding IT assets and information, the type of information that may be stored on devices and the requirement to report the loss or theft of a device. The use of privately-owned PSDs is also addressed in policy.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Corporation has policies in place that govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

An IT security awareness deck presentation was developed in 2011. It has not been updated since that time. The presentation addresses the importance of protecting passwords and the use of CDIC-issued USB storage devices for transporting data. The presentation refers to future security training initiatives, including the proper usage of wireless equipment and awareness training related to emerging technology safeguards.

The Corporation reported that it was in the process of closing gaps with respect to training.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the privacy risks inherent to the use of the devices.

Management Response:

Management accepts this recommendation.

CDIC will enhance its existing security training and awareness program to ensure that all employees, including contract personnel, receive training on the use of portable storage devices.

This work will be completed by December 31, 2015.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Corporation's IT Security Policy.

If a security incident results in a privacy violation, the Corporation's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


CANADA MORTGAGE AND HOUSING CORPORATION

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Canada Mortgage and Housing Corporation (CMHC or Corporation) has established a mechanism that captures the issuance of laptops, tablets, mobile phones and USB memory sticks.

The issuance of portable hard drives, as well as CDs and DVDs, is not recorded.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The Corporation accepts the recommendation.

CMHC recognizes that all portable storage devices retaining personal information should be recorded for identification and tracking purposes. To address this observation, CMHC will ensure that external hard drives and CD/DVD writers are included in the existing inventory registry. In addition, the registry will be updated to document whether the device will be used to record or store personal information.

I&T Security Risk conduct yearly Policy validation. In doing so I&T Security will be auditing the Asset Management policy to ensure safeguards are in place. In addition, CMHC's updated I&T Security Awareness program will specifically communicate strategies to all employees on how to minimize the risk of data loss in regards to portable storage devices. Overall, it is not standard practice to store any personal information on CDs or DVDs at CMHC.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

The Corporation has implemented a centralized process for managing the disposal of surplus and defective portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore no recommendation is required.

Observations:

As reported above, CMHC has implemented a centralized approach for managing the disposal of surplus and defective portable storage devices. Regional sites forward devices to the Corporation's head office for sanitization and disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

The Corporation accepts the recommendation.

CMHC recognizes the potential risk of data loss for devices that are shipped from a regional office to National Office. The current disposal process was assessed and devices that have been identified as surplus are sanitized onsite prior to transit, therefore mitigating the potential risk of a data exposure should a device or devices be lost in transit.

Observations:

CMHC uses non-certified wiping software to sanitize surplus laptops prior to their disposal. This software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

CMHC obtains certificates of destruction for any device that is disposed of by a third party service provider.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The Corporation accepts the recommendation.

CMHC is currently using an industry-best practice cleansing mechanism to sanitize surplus laptops prior to their disposal. CMHC will review its process on generating a report that confirms that all data on surplus or defective portable storage devices has been destroyed. Management recommends to modify the process to record the date and time of the cleansing of the device in the change management tracking system (MARVAL).

Timing and delivery of work will be considered as part of the regular business planning process and will be included in the scope of the 2016 technology business plan.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although CMHC has not formally assessed the privacy risks surrounding the use of portable storage devices, various controls have been implemented to address specific risks.

There is one exception. The Corporation has not assessed the risk to personal information resulting from the ability to download and run unauthorized applications on laptops.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from the ability to download and run unauthorised applications on laptops and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The Corporation accepts the recommendation.

Although a formal assessment on the risk to personal information resulting from the ability to download and run unauthorized applications on laptops has not been conducted, CMHC uses a number of recognized practices limiting the risk of installing malicious software or file sharing services such as

  • Antivirus, Anti-Malware Software
  • Outbound Communication Controls at the perimeter (E-gress Firewalls)
  • Web / URL Filtering

CMHC's current policy, to which all employees are required to accept and adhere to, stipulates that employees are not to install unauthorised applications on any corporate device. As part of the I&T Security Awareness program CMHC will specifically re-iterate this policy along with the risks associated with the installation of unauthorized applications.

Management will also consider additional controls in the version of the current desktop configuration standard. Timing and delivery of work will be aligned to the next major desktop upgrade.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

CMHC has implemented a number of controls to protect personal information transmitted to and retained on portable storage devices, including:

  • Antivirus is implemented on laptops and is centrally controlled;
  • CMHC-issued USB storage devices are encrypted;
  • Ability to write to optical discs is restricted; and
  • Restrictions on the ability to download applications on smartphones.

However, encryption is not implemented or enforced on laptops.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

The Corporation accepts the recommendation.

CMHC's current policy, to which all employees are required to accept and adhere to, stipulates that corporate information is not to be stored locally on portable storage devices (laptops). As part of the I&T Security Awareness program CMHC will specifically re-iterate this policy along with the risks associated with storing corporate information on local portable devices. In addition, CMHC will perform a cost, benefit, risk analysis to determine viability of encrypting all CMHC laptops.

Timing and delivery of work will be considered as part of the regular business planning process and will be included in the scope of the 2016 technology business plan.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

CMHC has implemented a number of policies that form its framework for managing portable storage devices (PSDs). The Corporation's IT Security Policy and Standards, Records Management Policy, and Software and Hardware Policy are core governance instruments in this regard.

When reviewed collectively, the existing instruments address all types of PSDs, responsibility for safeguarding IT assets, the type of information that may be stored on the devices and the obligation to report the loss or theft of a device. The use of privately-owned devices is also addressed.

The existing framework will be complemented by the implementation of the Corporation's Acceptable Use Policy for PSDs, which is pending senior management approval.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Corporation has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

CMHC has implemented a mandatory information management training program for all employees; however, the presentation does not address the use of portable storage devices.

The training is supplemented by the issuance of security bulletins and communiqués that reference the protection of corporate assets, CMHC's Data Loss Prevention Initiative and the use of USB storage devices. Although these are valuable awareness tools, there is no assurance that all employees have reviewed them.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Management Response:

The Corporation accepts the recommendation.

CMHC currently has an I&T Security and Awareness Program underway that ensures all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Full comprehensive program delivery targeted for 2016.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in CMHC's IT Security Policy and Standards.

If a security incident results in a privacy violation, CMHC's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact) and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


CANADA REVENUE AGENCY

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Canada Revenue Agency (CRA or Agency) has established a mechanism that captures the issuance of laptops, tablets, USB storage devices (memory sticks and portable hard drives).

The issuance of CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The Agency accepts the recommendation.

The audit recognized that CRA already has a registry that captures laptops/notebooks, tablets, portable hard drives and USBs.

In May 2015, the CRA expanded this inventory process to also include new and existing CDs and DVDs, thereby fully addressing the OPC recommendation.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

The Agency has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, CRA has implemented a decentralized disposal process. Inquiries confirmed that regional sites forward surplus and damaged devices to certain sites within the region, or in some instances to CRA's head office, for sanitization and disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

The Agency accepts the recommendation.

The audit recognized that CRA's surplus and defective portable storage devices pending disposal are stored in a secure environment, and that there are formalized standard operating procedures in place, including a process for managing the disposal of devices.

The Agency will review existing corporate policy instruments as they relate to the one remaining potential risk while devices are in transit from regional sites to certain sites charged with sanitization and disposal of the devices. Should updates be required to address any gaps in the procedures, the updated direction will be communicated to all areas involved by September 30, 2015.

Observations:

CRA uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The Agency accepts the recommendation.

The Agency is currently analyzing recommended sanitization products and processes in use by other departments and the available procurement options to determine the most suitable replacement product or process for the CRA. This analysis is underway and steps to acquire and implement the new product or process will begin immediately following the approved selection. This will be completed by September 30, 2015.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

CRA has completed risk assessments for portable storage devices within the context of specific CRA programs. While encryption is available to be used on CDs and DVDs, the risk analysis did not cover the absence of technical controls to address the use of CDs and DVDs to store data.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risks to personal information resulting from the use of CDs/DVDs to store data and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The Agency accepts the recommendation.

The audit recognized that CRA has conducted risk assessments for portable storage devices within the context of specific CRA programs and that encryption is available to be used on CDs and DVDs.

To further reduce risks, the Agency has since:

  • identified remaining areas of risk associated with CDs/DVDs;
  • updated its corporate policy instruments accordingly;
  • expanded the PSD inventory process to include CDs and DVDs, as referenced in response to recommendation #1; and
  • conducted a pilot to disable the record functionality on laptops and workstations for employees who do not require it as part of their functions, and equip the remaining workstations with mandatory encryption. Full roll-out will be completed by March 31, 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Agency has implemented various controls to protect personal information transmitted to and retained on portable storage devices including:

  • Encryption has been implemented on laptops;
  • Local administrative rights are restricted preventing users from installing unauthorized applications on laptops;
  • CRA-issued USB storage devices are encrypted; and
  • Technical controls are in place to prevent the use of unauthorized USB storage devices.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

CRA has implemented a number of directives and standards that collectively form its framework for managing portable storage devices (PSDs). The Agency's Storage, Disposal, Transmittal & Transport of Protected and Classified Information and Assets Directive, Security Incident Reporting and Management Directive, Standard for Electronic Devices, Information and Systems Protection Standard, and Disposal of Protected and Classified Information and Assets Standard are core governance instruments in this regard.

When examined collectively, the existing instruments address all types of PSDs, responsibility for safeguarding IT assets, the type of information that may be stored on devices and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Agency has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and the associated risks surrounding, portable storage devices.

Observations:

The Agency has implemented mandatory security awareness training for employees which addresses the use of portable storage devices. The training covers safeguarding information and assets, labelling devices and reporting the loss or theft of information and devices. The use of privately-owned devices is also addressed.

As part of its security awareness campaign, the Agency issued emails and bulletins to staff regarding the use of USB devices. These communications re-iterate employees' obligation to use only CRA-authorized devices, label and physically protect them, and report the loss or theft of a device.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

The mandatory security awareness training program in place addresses the acceptable uses of, and the risks surrounding, portable storage devices. Accordingly, no recommendation is required.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in the Agency's Security Incident Reporting and Management Directive and Breach of Information Assessment Directive.

If a security incident results in a privacy violation, the Agency's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


CANADIAN HUMAN RIGHTS COMMISSION

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Canadian Human Rights Commission (CHRC or the Commission) has established a mechanism that captures the issuance of laptops, tablets and mobile phones.

The issuance of USB storage devices (memory sticks and portable hard drives), as well as CDs and DVDs, is not recorded.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The Commission accepts the recommendation.

The Commission will develop a central inventory of PSDs (including laptops, tablets, encrypted USBs, BlackBerry devices, etc.) by March 2016.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

The Commission has implemented a centralized process for managing the disposal of surplus and defective portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore no recommendation is required.

Observations:

As reported above, CHRC has implemented a centralized approach for managing the disposal of surplus and defective portable storage devices. Regional sites forward devices to the Commission's head office for sanitization and disposal. The potential risks surrounding this process have not been formally assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

The Commission accepts the recommendation.

The Commission will ensure a new IT Policy on Access, Network, and Device Use is in place by December 2015. It will include:

  • A clear statement that no protected information is to be saved locally. If protected information needs to be stored/carried it must be with an authorizedUSB
    • Develop a User's Agreement for use of PSDs—which will be read, understood, and signed by users prior to their PSDs being issued
  • A clear and unequivocal statement that protected information should only be stored in RDIMS and authorized USBs and never on unauthorized USBs or CD/DVDs.

The Commission will include risks of data exposure from use of PSDs in the Corporate Risk Profile being developed and completed by March 2016.

The Commission will continue or put in place by October, 2015, practices to better ensure protection of personal information by:

  • Having regional employees return defective devices when visiting the NHQ
  • Consult the Departmental Security Officer (DSO) whenever required to ensure adequate levels of security of information in transit.

Observations:

The Commission uses certified wiping software to sanitize surplus hard drives prior to disposal. Although the software generates documentary evidence (verification report) confirming that a hard drive has been securely wiped, the Commission does not retain copies of the verification reports.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The Commission accepts the recommendation.

The Commission will implement the practice of saving certification after data wiping by October, 2015.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although the Commission has not formally assessed the risks surrounding the use of portable storage devices, various controls have been implemented to address specific risks.

However, the risk analysis did not address the following:

  • the absence of technical controls to prevent the use of unauthorized USB storage devices; and
  • the use of CDs and DVDs to store data.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The Commission accepts the recommendation.

The Commission will ensure a new IT Policy on Access, Network, and Device Use is in place by December 2015 that includes a clear statement that no protected information is to be saved locally. If protected information needs to be stored/carried it must be with an authorized USB.

  • Develop a User's Agreement for use of PSDs—which will be read, understood, and signed by users prior to their PSDs being issued.

The Commission will include risks of data exposure from use of PSDs in the Corporate Risk Profile being developed and completed by March 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Commission has implemented a number of controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Anti-virus is implemented and controlled centrally on laptops;
  • Sound password parameters have been implemented for laptops
  • Local administrator rights are removed preventing users from installing unauthorized applications on laptops; and
  • USB (memory sticks) issued are encrypted.

However, encryption has not been implemented on laptops and smart phones have weak password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

The Commission accepts the recommendation.

The Commission will ensure a new IT Policy on Access, Network, and Device Use is in place by December 2015. It will include:

  • A clear statement that no protected information is to be saved locally. If protected information needs to be stored/carried it must be with an authorized USB; and
  • A clear and unequivocal statement that protected information should only be stored in RDIMS and authorized USBs and never on unauthorized USBs or CD/DVDs.

Recommendation:

Strengthen password parameters on Blackberry devices.

Management Response:

The Commission accepts the recommendation.

The Commission will continue or put in place by October, 2015, practices to better ensure protection of personal information by consulting with the Commission Management Committee regarding a change in BlackBerry password to 8 characters using 3 of 4 character types.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Commission has implemented a number of policies and directives that collectively form its framework for managing portable storage devices (PSDs). CHRC's Policy on IT Security, Policy on Acceptable Network and Device Use, Wireless Communications Directive and IT Security Operational Directive are core governance instruments in this regard.

Responsibility for safeguarding IT assets, as well as the type of information that may be stored on the devices, is established in policy.

However, when examined collectively, the existing instruments do not address all types of devices (e.g. silent on the use of USBs, CDs and DVDs), or the Commission's policy regarding the use of privately-owned devices for work-related purposes. Moreover, while the requirement to report the loss or theft of laptops and mobile devices is prescribed under policy, there is no reference to other types of PSDs.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Ensure that policies governing the use of portable storage devices address:

  • all types of devices that are used to store personal information;
  • the use of privately-owned portable storage devices for work-related purposes; and
  • the requirement to report the loss or theft of all portable storage devices.

Management Response:

The Commission accepts the recommendation.

The Commission will ensure a new IT Policy on Access, Network, and Device Use is in place by December 2015 that includes:

  • All types of devices that are used to store personal information;
  • Rules on the use of privately-owned PSDs for work-related purposes; and
  • The requirement to report the loss or theft of all PSDs.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and the associated risks surrounding, portable storage devices.

Observations:

The Commission has implemented mandatory information management and security awareness training for employees. However, the use of portable storage devices is not addressed in significant detail. Moreover, the training does not address reporting the loss or theft of the devices or the use of privately-owned devices for work-related purposes.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Management Response:

The Commission accepts the recommendation.

The Commission will ensure by December, 2015 that all employees, including contract personnel, are aware of the policies governing the use of PSDs by:

  • Updating training to include detailed information on the use of PSDs; and
  • Include information on IT policies in the employee orientation kit.

By December, 2015 the Commission will develop a User's Agreement for use of PSDs—which will be read, understood, and signed by users prior to their PSDs being issued.

The Commission will include risks of data exposure from use of PSDs in the Corporate Risk Profile being developed and completed by March 2016.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in the Commission's Policy on IT Security and also embedded in its Wireless Communications Directive and IT Security Operational Directive.

If a security incident results in a privacy violation, the Commission's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


CITIZENSHIP AND IMMIGRATION CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Citizenship and Immigration Canada (CIC) has established a mechanism that captures the issuance of laptops, tablets, USB storage devices (memory sticks and portable hard drives).

The issuance of CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

CIC accepts the recommendation.

CD/DVD burning capability is currently blocked at CIC. Users who require the ability to copy data from the CIC network require approval by the Assistant Deputy Minister (ADM). This, in turn, significantly reduces the use of CDs/DVDs within CIC.

Action Plan:

In order to implement this recommendation, CIC will take the following actions by March 31, 2016:

  • Centralize the purchase, distribution and disposal of CDs and DVDs (where applicable) to the IT Asset Management (ITAM) group.
  • Record the exception in the ITAM system.
  • Provide a template to users, who are permitted to copy personal data to CDs/DVDs, to record creation/distribution of CDs/DVDs and provide it on a quarterly basis to ITAM.
  • Current CIC intranet pages, with new guideline and procedures, will be updated to reflect the change.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

CIC has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, regional offices manage the disposal of portable storage devices. However, there are exceptions. Some of the regional offices return surplus USBs and defective hard drives to head office for sanitization and disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

CIC accepts the recommendation.

Action Plan:

CIC IT Security and IT Asset Management will assess the current disposal process as it relates to shipment of surplus and/or defective PSDs to ensure appropriate controls are in place by December 31, 2015. In the meantime, defective storage devices will be kept securely on site. In addition, since the interviews took place, only encrypted USB keys are now used for data handling in CIC, subsequent to the Data Loss Prevention implementation further reducing the risk of data exposure.

Observations:

CIC uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

CIC accepts the recommendation.

IT Security reviewed the current products that are certified to meet ITSG-06 and that also generate documentary evidence. The software has a professional version which is recognized as Common Criteria EAL 3+ and meets CSE ITSG-06. It also generates documentary evidence. The product is currently on the Government of Canada Software Licensing Supply Arrangement (SLSA).

Action Plan:

CIC IT Security will be submitting an investment proposal to acquire an enterprise license and implement the professional version of the software by December 31, 2015. This will ensure that certified software is being used that generates documentary evidence.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

CIC has formally assessed the risks surrounding the use of portable storage devices; various controls have been implemented to address specific risks.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Security and privacy risks have been assessed regarding the use of portable storage devices, therefore; no recommendation is required.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

CIC has implemented a number of controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented on laptops and USB storage devices;
  • Local administrative rights are restricted preventing users from installing unauthorized applications on laptops;
  • Strong password parameters have been implemented; and
  • Controls to prevent the use of unauthorized USB storage devices, CDs and DVDs.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

CIC has implemented a number of policies that form its framework for managing portable storage devices (PSDs). The Department's Policy on CIC IT Security, Policy on the Use of Approved Hardware at CIC, and Policy on the Use of Electronic Networks, are core governance documents in this regard.

The above policies were recently supplemented by CIC's Directive on Portable Devices and Removable Media. The Directive addresses all types of PSDs, responsibility for safeguarding IT assets, the type of information that may be stored on the devices, and the requirement to report the loss or theft of a device. In addition, the use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

CIC has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

CIC has implemented a mandatory on-line security awareness training course for all employees. The course includes a module dedicated to portable devices. The material covers safeguarding information and assets, reporting the loss or theft of information and devices, and the use of privately-owned devices.

The mandatory training is supplemented by other training initiatives and communiqués. In addition, CIC has implemented a user agreement for encrypted USB portable devices. The agreement reinforces the users' responsibility to comply with relevant CIC policies and directives.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

The mandatory security awareness training program in place addresses the acceptable uses of, and the risks surrounding, portable storage devices. Accordingly, no recommendation is required.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in CIC's Policy on IT Security and also embedded in the Directive on Portable Devices and Removable Media.

If a security incident results in a privacy violation, CIC's privacy breach protocol is triggered. Key elements of the protocol are: breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


FARM CREDIT CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Farm Credit Canada (FCC or the Corporation) has established a mechanism that captures the issuance of laptops, tablets and smart phones.

The issuance of USB storage devices (memory sticks and portable hard drives), CDs and DVDs is not recorded.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

FCC Management accepts the recommendation.

USB's (memory sticks) — Registration and tracking of USB's (memory sticks) will be enabled through Phase 1 of the Secure Managed USB Project. Rollout is scheduled for August 31, 2015.

Portable hard drives — Registration and tracking of portable hard drives will be implemented following the procurement of a Service Management tool (i.e. asset management). Implementation is dependent on initiative approval and priority-based sequencing as per FCC's portfolio governance process. Approval and priority sequencing decisions will be made by September 30, 2015.

Optical discs (CD's and DVD's) — New FCC workstations will not include optical discs. Existing workstations with CDs/DVDs will be replaced over the next 3 years (by June, 2018) and an approved storage method (i .e. encrypted managed USB's) will be provided as required.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Corporation has implemented a centralized process for the disposal of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment at the Corporation's head office.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, the Corporation has implemented a centralized disposal process. With the exception of small quantities of optical discs (CDs/DVDs), devices are shipped to FCC's head office for sanitization and/or disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

FCC Management accepts the recommendation.

An Operational Risk and Control Self-Assessment (RCSA) will be conducted on the current process for disposal of surplus and defective portable storage devices. The RCSA will be conducted by December, 2015, with recommendations to be implemented by March 31, 2017.

Observations:

At the time of on-site examination activities, surplus laptops were sanitized at FCC's corporate office and then shipped to a third party for destruction. The process subsequently changed; hard drives are no longer wiped prior to disposal (destruction). FCC reported it will be establishing an administrative process to ensure destruction certificates are obtained and appropriately stored.

Surplus CDs and DVDs are also destroyed (shredded) by a third party. FCC confirmed that a certificate of destruction is not provided for optical discs.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

FCC Management accepts the recommendation.

USB's (memory sticks) — A process around the destruction of secure managed USB's (including documentary evidence) is scoped within Phase1 of the Secure Managed USB Project. Rollout is scheduled for August 31, 2015.

Smart phones — A sourcing strategy will be put in place for a third party to provide confirmation of cleansing and/or physical destruction of surplus or defective smart phones. The sourcing strategy will be completed by December 31, 2015, with implementation dates to be determined as part of the strategy.

Portable hard drives — we will require a certificate of destruction to be provided from a third party service provider, effective January 1, 2016.

Optical discs (CD's and DVD's) — New FCC workstation will not include optical discs. Existing workstations with CDs/DVDs will be replaced over the next 3 years (by June, 2018) and an approved storage method (i.e. encrypted managed USB's) will be provided as required, including a secure disposal process with confirmation of destruction.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although a number of controls have been implemented as part of its overall IT security posture, with the exception of laptops, the Corporation has not formally assessed the risks surrounding the use of portable storage devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on BlackBerry devices and tablets, and

implement appropriate controls to address identified gaps and weaknesses.

Management Response:

FCC Management accepts the recommendation.

A risk assessment will be conducted by March 31, 2016, and additional controls will be implemented as required by March 31, 2017.

Recommendation:

Assess the use of iPads and iPhones—insofar as the type of data that may be stored on the devices—and enhance data protections if default hardware encryption is deemed insufficient.

Management Response:

FCC Management accepts the recommendation.

An assessment will be conducted by March 31, 2016, and additional controls will be implemented as required by March 31, 2017.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Corporation has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented on laptops;
  • Anti-virus protection is deployed on laptops;
  • Local administrative rights are restricted on laptops, preventing users from installing unauthorized applications; and
  • Laptops have sound password parameters.

However, encryption has not been implemented on tablets, USB storage devices and smart phones. Moreover, tablets and smart phones lack strong password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information, including BlackBerry devices.

Management Response:

FCC Management accepts the recommendation.

USB's (memory sticks) — Encrypted USB's (memory sticks) will be introduced through Phase 1 of the Secure Managed USB Project. Rollout is scheduled for August 31, 2015.

Optical discs (CD's/DVD's) — New FCC workstations will not include optical discs. Existing workstations with CDs/DVDs will be replaced over the next 3 years (by June, 2018) and an approved storage method (i.e. encrypted managed USB's) will be provided as required.

Portable hard drives — We will conduct an assessment to determine if encrypting portable hard drives negatively impacts current processes. If there is a negative impact, we will treat as a policy exception. The assessment will be completed by March 31, 2016.

Smart phones — Containerization has been implemented for all BlackBerry and Android smart phones issued to FCC staff. A strategy for implementing containerization for iPhones and Windows phones will be developed by September 30, 2015, with implementation by March 31, 2016.

Recommendation:

Strengthen password parameters on tablets and smart phones.

Management Response:

FCC Management accepts the recommendation.

Password parameters will be strengthened on tablets and smartphones by December 31, 2015.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Corporation's Acceptable Use of IT Assets Policy and Enterprise Information Management Policy govern the use of portable storage devices (PSDs).

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding IT assets and information, the type of information that may be retained on PSDs and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Corporation has policies in place that govern the use of portable storage devices. As the policies are consistent with Government of Canada security requirements, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

The Corporation has an employee orientation program. The on-line training requires employees to acknowledge that they've read the Acceptable Use of IT Assets Policy and understand their accountabilities in that regard.

The training does not address the use of portable devices for storage purposes.

The Corporation reported that there is a plan to update the on-line orientation training to address the use of FCC-authorized USB storage devices.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the privacy risks inherent to the use of the devices.

Management Response:

FCC Management accepts the recommendation.

Applicable updates to the Acceptable Use of Information Technology Assets Policy will be made by September 30, 2015.

FCC employee and contract/consultant education and awareness materials supporting the use of PSDs will be developed and rolled out by March 31, 2016. Examples include: updates to the Employee Orientation Quiz to support revisions to the Acceptable Use of Information Technology Policy, updates to third party resource contracts policy, and creation of documentation (leverage quiz content) to provide to all third party contractors.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Corporation's Acceptable Use of IT Assets Policy.

If a security incident results in a privacy violation, FCC's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


FISHERIES AND OCEANS CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Fisheries and Oceans Canada (DFO or the Department) has established a mechanism that captures the issuance of laptops, tablets and USB storage devices (memory sticks and portable hard drives).

The issuance of CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The department accepts this recommendation.

The DFO automated solution to enforce encryption on portable storage devices includes a Registration Form in which users need to indicate the level of sensitivity of the information they will store on the device. All portable devices are registered into a central database along with the level of sensitivity of the data.

Users can not register any portable device and store information on portable devices without recording the classification of the data.

Some documented exemptions exist for special needs such as Science's large data sets and Conservation and Protection Directorate needs to exchange data with courts and tribunals.

The deployment for the ITPIN is completed for all regions except for the National Capital Region. For NCR, the deployment is expected to be completed by October 31, 2015.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Department has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal were not consistently held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Although a formalized process is in place, certain surplus devices were being stockpiled at some of the regional sites visited and the disposal method used to dispose of optical discs at one site does not comply with established policy.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Ensure that portable storage devices are retained in a secure area pending disposal, and disposal methods used comply with departmental policy.

Management Response:

The department accepts this recommendation.

DFO will ensure all regions, where portable storage devices are stored pending disposal, possess a secure container to store them until disposal. A review of current facilities will be completed and RCMP approved filing cabinets must be procured where required.

Projected Completion Date - October 31, 2015.

Observations:

As reported above, the Department has implemented a decentralized process for managing the disposal of portable storage devices (PSDs).

Inquiries confirmed that smaller offices transfer surplus PSDs to designated collection sites for sanitization and/or disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

The department accepts this recommendation.

Shared Services Canada is now providing Disposal of Electronic Media services to Departments. To that end, they released a document entitled "Procedures for the Disposal of Electronic Media" which outlines how to securely transport, and dispose of electronic media and its data. DFO will ensure this procedure is understood and followed by all employees involved in media destruction by providing them with the documentation and by organizing awareness meetings/sessions.

Projected Completion date - October 31, 2015.

Observations:

The Department uses certified wiping software to sanitize surplus laptops prior to their disposal. The software generates documentary evidence (verification report) confirming that a hard drive has been securely wiped.

At the time of examination, none of the sites visited retained copies of the verification reports. One site subsequently reported that it had revised its procedures and would commence doing so.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The department accepts this recommendation.

DFO Operational IT Security Standard — Media Protection and the IT Service Desk sanitization procedure will be revisited to ensure DFO retains documentary evidence (report generated by sanitization software as well as media destruction certificate issued by SSC for physical destruction).

Projected Completion date - October 31, 2015.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

With the exception of optical discs (CDs and DVDs), the Department has formally assessed the risks surrounding the use of portable storage devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from the use of CDs/DVDs to store data, and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The department accepts this recommendation.

Since the Office of the Privacy Commissioner conducted its audit, DFO has implemented a policy which makes CD and DVD devices read-only devices on all DFO workstations.

The deployment of the solution is completed for all regions except for the National Capital Region (NCR). For NCR, the deployment is expected to be completed by October 31, 2015.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Department has implemented a number of controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented and enforced on laptops, tablets and USB storage devices;
  • Anti-virus protection is deployed on laptops;
  • Local administrative rights are restricted on laptops and tablets, preventing users from installing unauthorized applications; and
  • Laptops and tablets have sound password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Department has implemented a number of policies and standards that collectively form its framework for managing portable storage devices (PSDs). The Operational IT Security Standard-Portable Data Storage Device, the Operational IT Security Standard-Media Protection, and the Designated and Classified IT Media Labelling and Handling Standard are core governance instruments in this regard.

When examined collectively, existing instruments address all types of PSDs, responsibility for safeguarding IT assets and information, the type of information that may be stored on PSDs and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Department has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

A number of awareness tools and resources have been developed. An on-line training presentation addresses the use of portable storage devices (PSDs), including connectivity to the corporate network and the storage of data on such devices. It also provides guidance to the minimize risk of a data exposure. The on-line presentation is supplemented by other resources, such as security bulletins and communiqués.

When examined collectively, a number of sound awareness tools have been established. However, in the absence of mandatory participation in training/awareness sessions, there is a risk that employees may not possess an understanding of the policies and standards governing the use of PSDs, including the recently implemented Operational IT Security Standard-Portable Data Storage Device.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Management Response:

The department accepts this recommendation.

The DFO automated solution to enforce encryption on portable storage devices includes a Registration Form which states the users obligations with regards to proper handling of portable storage devices:

I HEREBY CONFIRM THAT I AM USING AN AUTHORIZED DEVICE PROVIDED TO ME BY DFO and I HEREBY CERTIFY THAT THE DEVICE INDENTIFIED ABOVE:

  1. Is a Government asset (not a personal one);
  2. Is to be kept under my constant control and possession at all times in an appropriate security container;
  3. Will never store data rated at a higher level than the data classification level selected in the box above;
  4. Is labeled according to DFO labeling standards for Portable Data Storage Devices;
  5. Is used to transport and store information only on a temporary basis and must not be used as permanent document repositories to store GC information;
  6. Will be cleared and disposed of according to the DFO IT Security Media Protection Standard. Deleting, erasing or reformatting files does not clear the device;
  7. Will be reported to the Department Security Office immediately in the event of loss or theft of the device;
  8. Shall be returned to DFO at the end of employment or at any point in time upon DFO's request.

I agree I disagree

Register Cancel

Users cannot register any portable device without certifying that they will meet those obligations.

Moreover, DFO Departmental Management Committee approved to make the Canada School of Public Security Awareness (A230) mandatory for all employees and a security awareness refresher is required every five years. All DFO employees with network access will have to complete the training by October 31, 2015.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Department's Operational IT Security Standard-Portable Data Storage Device.

If a security incident results in a privacy violation, DFO's privacy breach protocol is triggered. Key elements of the process are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


IMMIGRATION AND REFUGEE BOARD OF CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Immigration and Refugee Board of Canada (IRB or the Board) has established a mechanism that captures the issuance of laptops and tablets.

Registries also exist for some IRB-issued USBs (memory sticks); however, user names and device identification numbers are not recorded in all instances.

The issuance of portable hard drives, CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The IRB accepts the recommendation.

In order to comply, the IRB is leveraging the asset management module in the Financial System (SAP) to track the inventory of portable storage devices and their assignment to specific employees. All procurement of PSDs will be made through one departmental channel to ensure each device is captured in inventory. The operationalization will require the establishment of new procedures to ensure compliance.

The projected completion date is the end of Q3 (December 2015).

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Board has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are disposal processes in place; however, they have not been formalized into an established policy or documented procedures.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Implement a formalized process to ensure personal information stored on surplus and defective portable storage devices is disposed of in a consistent, secure manner.

Management Response:

The IRB accepts the recommendation.

The operationalization will require new procedures to ensure compliance.

The projected completion date is the end of Q3 (December 2015).

Observations:

The Board uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The IRB accepts the recommendation.

We are currently investigating the procurement of new certified software that will provide the required documentary evidence of cleansing. The operationalization of this new tool will require new procedures to ensure compliance.

The projected completion date is the end of Q4 (March 2016).

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although a number of controls have been implemented as part of its overall IT security posture, with the exception of laptops, the Board has not formally assessed the risks surrounding the use of portable storage devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,
  • the ability to download and run unauthorized applications on tablets,
  • the manual method of enforcing encryption on laptops and tablets,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The IRB accepts the recommendation.

A threat & risk assessment (TRA) on the risk to personal information will be conducted in the context of the Data Loss Prevention (DLP) Project, which is required to support the provisions of ITPIN 2014-01 on the secure use of portable data storage devices.

The projected completion date is the end of Q4 (March 2016), subject to Shared Services Canada's provision of required infrastructure.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Board has implemented a number of controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented and enforced on laptops and tablets;
  • IRB-issued USB storage devices are encrypted;
  • Anti-virus protection is deployed on laptops;
  • Local administrative rights are restricted on laptops, preventing users from installing unauthorized applications; and
  • Laptops and tablets have sound password parameters.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Board has implemented a number of policies that collectively form its framework for managing portable storage devices (PSDs). The Acceptable Use of Electronic Networks, Removable Storage Media and Security policies are core governance instruments in this regard.

When examined collectively, existing instruments establish responsibility for safeguarding IT assets and information, as well as the requirement to report the loss or theft of a device. While the use of USBs (e.g. memory stick/key) is covered in significant detail, policies do not explicitly address other types of PSDs (e.g. laptops, tablets, compact discs) or the use of privately-owned devices.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Ensure that policies governing the use of portable storage devices address:

  • all types of devices that may be used to store personal information;
  • any restrictions on the type of information (security classification) that may be stored on the devices; and
  • the use of privately-owned portable storage devices for work-related purposes.

Management Response:

The IRB accepts the recommendation.

The Network Acceptable Use Policy (NAUP) was updated in February 2015. The Removable Storage Media Policy which dates to 2007 is being updated and will be renamed as the Portable Data Storage Devices Policy.

The projected completion date is the end of Q3 (December 2015).

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

New employees are provided with a security briefing as part of the Board's staff orientation process. A deck presentation, prepared for this purpose, highlights employees' responsibility to protect information and assets, and report security incidents involving the loss or theft of an IRB asset). The presentation is silent on the use of portable storage devices.

As part of its security awareness campaign, the Board issued a bulletin regarding the use of USB devices. The bulletin addresses the privately-owned USB devices and provides guidance to minimize the risk of a USB data exposure.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the privacy risks inherent to the use of the devices.

Management Response:

The IRB accepts the recommendation.

The IRB will update the Security Awareness training package offered for new employees. This information will also be posted on the IRB's Intranet and available to all employees. Annual reminders will be sent to employees providing links to relevant policy instruments and training materials.

The projected completion date is the end of Q4 (March 2016).

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Board's Security Policy.

If a security incident results in a privacy violation, the Board's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


PAROLE BOARD OF CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Parole Board of Canada's (PBC or the Board) IT infrastructure—including IT assets—is managed by Correctional Service Canada pursuant to a Memoranda of Understanding between the two organizations.

There is a mechanism that captures the issuance of laptops and tablets, as well as some USBs (memory sticks). The issuance of CDs and DVDs is not recorded. The Board reported that portable hard drives are not issued to staff.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The Board accepts the recommendation.

Correctional Service Canada keeps an inventory of all laptops, tablets and Blackberry devices used by PBC employees, which can be obtained easily when required. A tracking and monitoring system for USB keys, external drives and optical discs is being developed by PBC and will be launched in time for the implementation of PBC's Directive on the Use of Portable Data Storage Devices.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus and defective portable storage devices.

Observations:

The Board has implemented a decentralized disposal process. Regional offices are responsible for managing their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, regional offices manage the disposal of their portable storage devices. There is one exception. Devices that cannot be cleansed (wiped) are forwarded to Correctional Service Canada's head office for destruction. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analyzed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

The Board accepts the recommendation.

CSC already has a procedure in place for the sanitization and destruction of hard drives, as well as mobile devices such as Blackberries and tablets, and will make necessary adjustments to ensure that the current procedure mitigates the risk of data exposure, if necessary. For other external devices, PBC will collaborate with CSC in order to stablish a sanitization and disposal procedure that reduces the risks to a minimum.

Observations:

Correctional Service Canada uses certified wiping software to sanitize surplus laptops prior to their disposal. Although the software generates documentary evidence (verification report) confirming that a hard drive has been securely wiped, the sites visited were not retaining copies of the verification reports.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been disposed of in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The Board accepts the recommendation.

CSC's IT Security division has recently confirmed that the software used for all data sanitization comes with a system-generated confirmation of data erasure.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Correctional Service Canada has formally assessed the risks surrounding the use of portable storage devices. However, the risk analysis did not cover the absence of technical controls to address:

  • the connection of unauthorized USB storage devices; and
  • the use of CDs/DVDs to store data.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of CDs/DVDs to store data,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The Board accepts the recommendation.

CDs and DVDs have limited and specific uses at the PBC, and while the PBC's Directive on the Use of Portable Data Storage Devices gives indications on appropriate use, a risk analysis will have to be conducted in order to determine the cases, if any, where storing information on a CD or a DVD would be acceptable. At the same time, PBC will look for ways to replace the use of CDs or DVDs as much as possible, and work with CSC where required. CSC is already working on a project to restrict the use of USB keys. Any USB device that is not pre-authorized will be automatically blocked.

The target date for the completion of this project is March 2016.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

Correctional Service Canada has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented and enforced on laptops and tablets;
  • Anti-virus protection has been deployed on laptops and tablets;
  • Local administrative rights are restricted on laptops, preventing users from installing unauthorized applications; and
  • Laptops and tablets have sound password parameters.

Although encryption is available for USB storage devices, it is not enforced. Moreover, the use of USBs is not restricted to approved devices.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that encryption is deployed on all portable storage devices that may contain personal information.

Management Response:

The Board accepts the recommendation.

Encryption is already deployed on laptops, tablets and Blackberries used by employees of the Board. The next step will be to ensure that encryption is used on USB keys and to limit the circulation of CDs and DVDs to store personal information, and that is included within PBC's Directive on the Use of Portable Data Storage Devices. Furthermore, encryption will be considered as a requirement in any future use of Portable Storage Devices.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

The Board is in the process of establishing a standalone policy (directive) to govern the use of portable storage devices (PSDs). The Directive on the Use of Portable Data Storage Devices was initially drafted in October 2014; the document was in the consultation stage at time the audit concluded.

The Directive addresses all types of PSDs, responsibility for safeguarding the assets, the type of information that may be stored on them and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protect organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanisms through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Finalize and implement the Directive on the Use of Portable Data Storage Devices.

Management Response:

The Board accepts the recommendation.

The Information Management Committee has agreed on a final draft of the directive to be presented to the Senior Management Committee for approval at their upcoming meeting on September 22, 2015.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

The Parole Board of Canada delivers mandatory security awareness sessions to new employees upon intake. The presentation addresses the obligation to safeguard information and report security incidents. However, it is silent on the use of portable storage devices.

The intake training is supplemented by awareness sessions delivered at two of the three regions visited during the audit.

When examined collectively, there is no assurance that all employees and Board Members possess an understanding of their obligations with respect to the use of portable storage devices. With the pending implementation of the Directive on the Use of Portable Data Storage Devices, there is an opportunity to update existing awareness tools to ensure policy requirements are communicated to staff.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the privacy risks inherent to the use of the devices.

Management Response:

The Board accepts the recommendation.

The Canada School of Public Service security course A230 ( Security Awareness) has been made mandatory for PBC employees. As well, all employees will be made aware of their responsibilities with respect to the PBC Directive on the Use of Portable Data Storage Devices when it comes into effect in September 2015.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report security incidents is established under the Board's Safeguarding Information and Assets Directive. This obligation is also reinforced in the Directive on the Use of Portable Data Storage Devices.

If a security incident results in a privacy violation, the Board's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


PUBLIC HEALTH AGENCY OF CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

The Public Health Agency of Canada (Agency or PHAC) has established a mechanism that captures the issuance of laptops, tablets and portable hard drives.

Encrypted USB memory sticks issued at the Agency's head office and the National Microbiology Laboratory are registered. However, the issuance of such devices at one of the regional offices visited was not documented.

The issuance of CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

The Agency accepts the recommendation.

A consistent inventory register for managing portable storage devices will be implemented for Headquarters, all Regions and the National Microbiology Laboratory.

Proposed completion date: Q3 - 2015/2016.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

PHAC has implemented a decentralized disposal process. The Agency's head office, regional sites and laboratories are responsible for the disposal of their respective inventories of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, PHAC has adopted a decentralized process for managing the disposal of portable storage devices. Within the National Capital Region, surplus devices are transferred from one office location to another where they are held pending disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate risk of a data exposure.

Management Response:

The Agency accepts the recommendation.

The Agency will assess the current disposal practices, establish and implement protocols for safe transport of surplus/defective portable storage devices between locations and update the IT Asset Management Guide.

Proposed completion date: Q4 - 2015/2016.

Observations:

The Agency uses non-certified wiping software to sanitize surplus laptops prior to their disposal. The software does not generate documentary evidence (verification report) confirming that a hard drive has been securely wiped.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

The Agency accepts the recommendation.

The Agency will:

  • establish a centralized management for confirmation of physical destruction and/or cleansing.
  • identify possible controls for certified cleansing mechanism or physical destruction of portable storage devices.
  • revise procedures and processes and update log/attestation forms.
  • implement Data Loss Prevention Software (DLP).

Proposed completion Date: Q4 - 2015/2016

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Although PHAC has not formally assessed the risks surrounding the use of portable storage devices, various controls have been implemented to address specific risks.

However, the risk analysis did not cover the absence of technical controls to address:

  • the absence of technical controls to prevent the use of unauthorized USBs storage devices; and
  • the use of tablets, specifically the ability to download and run unauthorised applications.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from

  • the lack of controls on the connection of unauthorized USB storage devices,
  • the use of tablets,

and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

The Agency accepts the recommendation.

The Agency will publish the Standard and Guideline on USB Storage Devices and implement a technical control to log all USB drives connected to the network.

Proposed completion date: Completed.

The Agency will create a target communication via a pop-up message regarding the use of USB drives to all employees.

Proposed completion date: Q3 - 2015/16

The Agency will implement a Terms of Use Reference form that must be signed prior to receiving a tablet.

Proposed completion date: Completed

The Agency will update Global Security Policy and Standard Operating Procedures

Proposed completion date: Completed

The Agency will conduct a Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA) on the use of tablets.

Proposed completion date: Q4 - 2015/16

The Agency will replace existing unmanaged devices with standard devices which prohibit the installation of software by unauthorized individuals. Deployment of Windows 8.1 Devices

Proposed completion date: Q4 - 2015/16

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

The Agency has implemented various controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Anti-virus protection is deployed and controlled centrally on laptops;
  • Local administrative rights are restricted on laptops; and
  • Encryption has been implemented on laptops and USB storage devices.

However, passwords on laptops were weak.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

Strengthen password parameters on laptops.

Management Response:

The Agency accepts the recommendation.

The Agency's password policy, including minimum password length and adherence to complexity criteria will be implemented for network access.

Proposed completion date: Q3 - 2015/16

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

PHAC has implemented a number of policies and standards that collectively form its framework for managing portable storage devices (PSDs). The Agency's Secure Use of Portable Data Storage Media and Devices Standard and the Acceptable Use of Electronic Devices and Network Standard are core governance documents in this regard.

When reviewed collectively, the existing instruments address all types of portable PSDs, responsibility for safeguarding IT assets, the type of information that may be stored on devices, and the requirement to report the loss of theft of a device. The use of privately-owned devices is also addressed.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

The Agency has policies in place to govern the use of portable storage devices. The policies are consistent with Government of Canada security requirements; therefore, no recommendation is required.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and associated risks surrounding, portable storage devices.

Observations:

Employees are provided security awareness training as part of PHAC's orientation program. The training addresses the obligation to safeguard portable storage devices (PSDs), as well as the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed. The training does not cover the type of information that can be transmitted and stored on devices. Moreover, the training has not been provided to all staff.

The Agency has implemented a user agreement for PSDs. PHAC reported that it is being updated to encompass all devices assigned to each user.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Management Response:

The Agency accepts the recommendation.

The Agency will raise IT Security awareness by leveraging internal tools and training activities by:

  • Improving training and communications with employees
    Proposed completion date: Q4 - 2015/16
  • Publish best practices and revised Acceptable Use Policy
    Proposed completion date: Q3 - 2015/16

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in PHAC's IT Policy and also embedded in the Secure Use of Portable Data Storage Media & Devices Standard and the Acceptable Use of Electronic Devices and Networks Standard.

If a security incident results in a privacy violation, PHAC's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 


SHARED SERVICES CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

A mechanism is in place to register and track the issuance of new smart phones (BlackBerry 10 devices) that Shared Services Canada (SSC) deploys to employees within its 43 partner organizations.

However, the registry does not accurately reflect the full inventory of devices currently in use. SSC reports that at the time of transition (SSC assumed responsibility for the management of telephony) its partner organizations did not provide complete listings of their respective inventories of mobile devices. In an effort to compile a complete listing of all devices, including smart phones, SSC implemented the following:

  • the voluntary registration of devices (SSC's portal used for this purpose);
  • the identification of devices with inactivity for a period of 90 days, with the intent of cancelling associated accounts that are no longer required; and
  • a bulk issuance of BlackBerry 10 devices—approximately 60,000—in exchange for older generation devices (BlackBerry 5 devices).

Notwithstanding these efforts, SSC reports that an accurate inventory may not be available until the E-mail Transformation Initiative (ETI) is fully operational. As a result of a number of administrative and technical challenges surrounding the ETI, project implementation has been delayed. The current projected completion date is September 2016.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, institutions lack the ability to determine what devices are being used, by whom, and for what purposes. By extension, it impedes their ability to minimize the risk of a data loss.

Recommendation:

In collaboration with partner organizations, ensure that all active smart phones are captured, either by user or contact name, in a registry by January 2016.

Management Response:

SSC agrees with the recommendation.

Smart phones are enterprise assets and must be tracked by SSC. A technical solution is being implemented over time. Meeting the proposed timeline will require significant additional effort and full cooperation from all SSC partners.

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

SSC has formalized procedures in place to manage the disposal of smart phones.

Responsibility for managing the disposal of devices is prescribed under SSC's Operating Standard for the Provision of Telecommunication Devices. The Standard requires partner organizations to return smart phones to SSC. It also stipulates that responsibility for sanitization of devices rests with the partner organization; however, it does not provide any direction in this regard (i.e., sanitization methods). SSC reported that it performs a cleansing exercise (wiping) upon receipt of a returned device.

Although not appearing to be systemic in nature, the audit confirmed a lack of full compliance with the requirements established under the Standard. For example, some surplus devices are not returned to SSC and others are returned without being sanitized.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Remind partner organizations of their responsibilities under the Operating Standard for the Provision of Telecommunications Devices, including the sanitization of smart phones prior to disposal.

Management Response:

SSC agrees with the recommendation.

SSC will prepare and send a communiqué to remind partner organizations of their responsibilities.

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Smart Phones

While no formal risk assessment has been completed on smart phones, as part of its overall security posture SSC has implemented appropriate baseline security controls through the establishment of configuration profile options. Partner organizations must select one of the profile options, all of which include enforced encryption, strong password parameters and controls to prevent access to corporate data through unauthorized applications.

USB Storage Devices

In accordance with its mandate, SSC owns and operates servers on behalf of its partner organizations. These servers contain data relating to the operating programs of the organizations and by extension, may include significant amounts of personal information.

There are no technical controls in place to prevent the connection of unauthorized USB storage devices at the server level. As a result, there is a potential risk that data may be extracted and stored on such devices.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Assess the risk to personal information resulting from the lack of controls on connection of unauthorized USB storage devices on servers, and implement appropriate controls to address identified gaps and weaknesses.

Management Response:

SSC agrees with the recommendation.

SSC will perform an assessment of the potential risks associated with use of unauthorized USB storage devices on servers, taking into consideration existing physical, logical and personnel controls, to be completed by fiscal year-end 15-16. SSC will also develop and implement a mitigation plan for the residual risks from the risk assessment subject to resource and funding availability, starting in 16/17.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

SSC has adopted a multi-step approach in transitioning responsibility for the management of BlackBerry devices from partner organizations. To address the primary wave of the transition, SSC implemented a BB10 Interim Service; key elements of the interim service are:

  • A requirement to use BlackBerry 10 devices;
  • The establishment of a number of configuration profiles for BlackBerry 10 devices, all of which enforce baseline security controls (e.g. encryption, strong password parameters, etc.); and,
  • A bulk issuance of BlackBerry 10 devices (approximately 60,000) in exchange for older generation devices (BlackBerry 5 devices).

The roll-out of the interim service commenced in the spring 2015. As part of the initiative, partner organizations must select one of the configuration profiles established by SSC. Once the selection is confirmed, SSC will proceed with migrating devices—previously managed by the partner organization—to SSC`s environment. At the time the audit concluded, SSC had completed the migration of one partner organization. SSC indicated that the interim service should be fully implemented by the second quarter of FY 2016-2017.

While the interim service will upgrade the majority of users to BlackBerry 10 devices—with a secure configuration profile—a number of BlackBerry 5 devices will remain in use. Some of these devices may have inadequate controls. Of the ten SSC partner organizations that were included as part of this audit, the following observations were noted:

  • Two do not enforce sound password controls;
  • Two do not enforce encryption; and,
  • Six do not have controls in place to prevent users from downloading and installing unauthorized applications.

Officials also reported that the security weaknesses highlighted above will be addressed either through the roll-out of the BB10 Interim Service or the full implementation of the Email Transformation Initiative.

Regardless of the solution used to address the absence of baseline security controls, the existing weaknesses may persist until September 2016 within some partner organizations. These devices may retain personal information, placing privacy at risk.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted party and erode public trust in an institution's ability to protect privacy.

Recommendation:

Ensure that baseline security controls are implemented on all smart phones in use at partner organizations by January 2016.

Management Response:

SSC agrees with the recommendation.

SSC has implemented baseline security controls on all BB10 devices and those BB5 devices which are going to be migrated to ETI. SSC will work toward meeting the recommended timeline; however, this will be a challenge given ETI's implementation schedule.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

SSC has established a number of instruments to govern the management of portable storage devices, including smart phones deployed at partner organizations. The Operating Standard for the Provision of Telecommunication Devices, Operating Standard on the Acceptable Use of Cellular Devices, Directive on the Use of USB and Other External Storage Devices, and the Policy on Departmental Security are key governance documents in this regard.

When examined collectively, the existing instruments establish the requirement to safeguard information and label it according to its designated sensitivity, as well as the obligation to report the loss or theft of corporate assets. The use of privately-owned USB storage devices is also addressed.

Notwithstanding, there is one policy requirement that is noteworthy from a privacy perspective. The operating standards instruct a user to notify his or her manager and client technical administrator of an incident—involving the loss or theft of a smart phone—within one business day. The reporting timeframe may not be consistent with the partner organization's security and privacy policies. As the data residing on the device does not fall under SSC's control, the partner organization's security incident and/or privacy breach protocols should take precedence, including when—and to whom—the incident should be reported.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Amend the Provision of Telecommunication Devices and Acceptable Use of Cellular Devices Standards to instruct users to comply with their respective organizations' protocols for reporting security incidents and privacy breaches.

Management Response:

SSC agrees with the recommendation.

The standards will be amended accordingly.

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and the associated risks surrounding, portable storage devices.

Observations:

Partner Organizations - Use of Smart Phones

The policy surrounding the use of a smart phone is prescribed under the Operating Standard on the Acceptable Use of Cellular Devices. The Standard addresses the requirement to safeguard the asset and report the loss or theft of same, as well as the obligation to return the device when it is no longer required or the user departs the organization. Prior to activation, users are required to acknowledge that they have read and understand their obligations under the Standard.

Shared Services Canada - Staff co-located within partner organizations

Employees, including client technical administrators, are required to complete the mandatory on-line security awareness training administered by the Canada School of the Public Service (CSPS).

Although SSC stated that it has implemented various privacy and security related awareness initiatives, it acknowledged that they do not specifically address the use of PSDs. As CSPS training is generic in nature and designed for a government-wide audience, there is no assurance that SSC staff co-located within partner organizations possess an awareness of SSC policies governing the use of portable storage devices, or the obligation to comply with the stricter security requirements should there be a conflict between a SSC policy and the policy of the partner organization.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that an employee will not exercise the appropriate level of due diligence in managing personal information stored on a portable device. This could result in a privacy breach.

Recommendation:

Ensure that Shared Services Canada employees who have to access to partner organizations' information holdings are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the privacy risks inherent to the use of the devices.

Management Response:

SSC agrees with the recommendation.

SSC employees are completing the mandatory Security Awareness training offered by the Canada School of Public Service. This training includes a section on acceptable uses of, and the associated risks surrounding, portable storage devices.

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

SSC has an established protocol for managing privacy breaches. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

The protocol defines SSC's role in the event of three types of incidents:

  • Breaches involving data under SSC's control;
  • Breaches involving data under a partner organization's control; and
  • Breaches when SSC has outsourced an enterprise service.

Personal information collected by partner organizations and stored on SSC's IT systems is not considered to be under the control of SSC. As such, roles and responsibilities are shared when a breach involves SSC's IT infrastructure and partner organizations' data.

Although SSC manages telecommunication services, security officials within partner organizations are responsible for investigating incidents involving the loss or theft of smart phones. SSC's role in this regard is limited to providing assistance in containing the breach.

If a storage device (e.g. portable hard drive) containing partner organization data is lost by a SSC employee (client technical administrator), the partner organization would assume the lead role in the investigation. SSC security staff may be involved in the process.

Although a process is in place to investigate the loss or theft of a smart phone, inquiries were unable to confirm, with certainty, the steps taken to contain a suspected or confirmed breach (e.g. timing of wipe command, re-activating account to facilitate receipt of wipe command, etc.). SSC reported that it is in the process of developing standardized processes for the loss or theft of BlackBerry devices. Once available, they will be provided to partner organizations.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Implement standardized procedures for responding to incidents involving the loss or theft of smart phones.

Management Response:

SSC agrees with the recommendation.

SSC will communicate standardized procedures for responding to these incidents to partners by November 2015.

 


STATISTICS CANADA

LINE OF ENQUIRY I: PHYSICAL CONTROLS

INVENTORY MANAGEMENT

Expectation:

A mechanism is in place to register and track the issuance of portable storage devices—that may contain personal information—throughout their life cycle.

Observations:

Statistics Canada (the Department) has established a mechanism that captures the issuance of laptops, USB storage devices (memory sticks and portable hard drives).

The issuance of tablets, CDs and DVDs is not recorded.

Shared Services Canada is responsible for tracking the issuance of smart phones.

Consequence:

In order to ensure adequate security measures are in place to protect personal information entrusted to them, federal institutions must know where data is stored. The identification and tracking of assets is critical in this regard. Without such a mechanism, the institution lacks the ability to determine what devices are being used, by whom and for what purposes. By extension, it impedes the institution's ability to minimize the risk of a data loss.

Recommendation:

Ensure that the issuance of all portable storage devices—that may be used to retain personal information—is recorded for identification and tracking purposes.

Management Response:

Accept the recommendation.

Action plan regarding inventory management of tablets:

All tablets—that may be used to retain personal information—are identified, tracked and managed using the same controls that are used for laptops and desktops. At the time of the audit, Statistics Canada had not started issuing tablets. In March 2015, Statistics Canada launched a tablet trial including formal inventory management of tablets. This recommendation has been addressed and the action plan completed.

Target completion date: Completed as of March 2015

Action plan regarding inventory management of CDs/DVDs:

The strategy to address this recommendation is to eliminate the use of CDs and DVDs, other than for purposes of disseminating public information. If Statistics Canada is not able to entirely eliminate the use of CDs and DVDs from its business processes, every exception request will require DG level approval. The use of CDs and DVDs—that may be used to retain personal information—will be identified, tracked and managed centrally. An additional safeguard is to encrypt CDs/DVDs that may be used to retain personal information.

The initial step is to modify the standard configuration of all workplace technology devices to disable the use of CDs and DVDs except for documented exceptions requests as noted above. All recently acquired devices do not have CD/DVD drives, representing 4100 out of 8500 devices.

Target completion date: December 18, 2015

DISPOSAL OF SURPLUS AND DEFECTIVE ASSETS

Expectation:

Formalized procedures are in place for the secure disposal of surplus or defective portable storage devices.

Observations:

Statistics Canada has established a centralized process for managing the disposal of portable storage devices (PSDs).

Surplus and defective PSDs pending disposal are held in a secure environment.

There are formal procedures in place that establish administrative and security requirements for the disposal of PSDs.

Consequence:

A formal (documented) process facilitates a standardized, consistent approach for the secure disposal of portable storage devices. The absence of same—or a lack of awareness of the process—presents a risk that inadequate disposal methods may be used, potentially resulting in an inappropriate disclosure of personal information.

Recommendation:

Formalized procedures are in place for the secure disposal of portable storage devices; therefore, no recommendation is required.

Observations:

As reported above, Statistics Canada has implemented a centralized process for managing the disposal of portable storage devices. Regional sites forward surplus and defective devices to the Department's head office for sanitization and disposal. The potential risks surrounding this process have not been assessed.

Consequence:

A disposal process that requires the shipment of non-sanitized portable storage devices from one location to another presents a potential risk of data exposures in the event that devices are lost or stolen in transit. This risk needs to be analysed. Without such analysis, procedural gaps and weaknesses that require mitigating controls (safeguards) to protect privacy will not be addressed.

Recommendation:

Assess the current disposal process—insofar as the shipment of surplus and/or defective portable storage devices from various locations to a central site (e.g. head office)—to ensure appropriate controls are in place to mitigate the risk of a data exposure.

Management Response:

Accept the recommendation.

Action plan regarding disposal of surplus or defective portable storage devices:

Statistics Canada will review its disposal procedure for surplus or defective portable storage devices and assess the potential risk of data exposure in the event that a non-sanitized device is lost or stolen in transit when shipped from various locations to its head office. Based on the risk assessment, Statistics Canada will ensure the additional controls and safeguards, if required, are in place to mitigate the risk of data exposure.

Target completion date: December 18, 2015

Observations:

Statistics Canada uses CSEC approved equipment (powerful magnets) to degausse (sanitize) hard drives on laptops prior to their disposal. Although this provides some assurance that the drives are securely wiped, documentary evidence confirming same is not retained for verification purposes.

Consequence:

Organizations have an obligation to protect personal information under their control, from the time of collection until the data is disposed of by a secure method. The use of certified software for sanitization purposes, or the physical destruction of devices, provides the highest level of assurance in this regard.

In the absence of either a verification report generated by certified software—that confirms a full and secure wipe has been performed—or confirmation of physical destruction (e.g. certificate), there is no assurance that personal information has been destroyed in a secure manner.

Recommendation:

Retain documentary evidence—either the confirmation report generated by a certified cleansing mechanism or confirmation of physical destruction—as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner.

Management Response:

Accept the recommendation.

Action plan regarding the sanitization or physical destruction of surplus or defective portable storage devices:

Statistics Canada will review its disposal procedure to ensure it includes the additional step of retaining documentary evidence of the sanitization, or physical destruction, of surplus or defective portable storage devices. The verification report will provide assurance that personal information was destroyed in a secure manner.

Completion date: December 18, 2015

LINE OF ENQUIRY II: SECURITY CONTROLS

RISK ASSESSMENT

Expectation:

The security and privacy risks inherent to the use of portable storage devices have been assessed.

Observations:

Statistics Canada has formally assessed the risks surrounding the use of portable storage devices; various controls have been implemented to address specific risks.

Consequence:

Security and privacy risk analysis identifies potential threats and vulnerabilities surrounding the use of portable storage devices. Without such analysis, the institution may not address gaps and weaknesses that require mitigating controls.

Recommendation:

Security and privacy risks have been assessed regarding the use of portable storage devices; therefore, no recommendation is required.

IT CONTROLS

Expectation:

Adequate logical controls have been implemented to protect personal information transmitted to, and stored on, portable storage devices.

Observations:

Statistics Canada has implemented a number of controls to protect personal information transmitted to, and retained on, portable storage devices, including:

  • Encryption has been implemented on laptops and USB storage devices;
  • Local administrative rights are restricted preventing users from installing unauthorized applications on laptops;
  • Password parameters are strong; and
  • Use of unauthorized USB storage devices is prevented.

Consequence:

Adequate logical controls are essential to protect data residing on portable storage devices. If such controls are not in place, there is an increased risk of an unauthorized disclosure of personal information. This could result in harm to the impacted parties and erode public trust in an institution's ability to protect privacy.

Recommendation:

The existing controls examined as part of the audit were found to be adequate; therefore, no recommendation is required.

LINE OF ENQUIRY III: PRIVACY MANAGEMENT AND ACCOUNTABILITY

POLICY FRAMEWORK

Expectation:

Policies have been established governing the use of portable storage devices that are consistent with Government of Canada security requirements and best practices.

Observations:

Statistics Canada has implemented a number of policies and directives that collectively form its framework for managing portable storage devices (PSDs). The Department's IT Security Policy, Security Practices Manual, Policy on Privacy and Confidentiality, and Directive on the Security of Sensitive Statistical Information are core governance instruments in this regard.

When examined collectively, the existing instruments address all types of PSDs, responsibility for safeguarding IT assets, the type of information that can be stored on devices, and the requirement to report the loss or theft of a device. The use of privately-owned devices is also addressed.

Although Statistics Canada's policy prohibits the use of privately-owned PSDs, inquiries confirmed that there was not full compliance with the policy. Specifically, some officials use personal tablets to record notes.

Consequence:

Sound security-related policies are essential to protecting organizational assets, including personal information. They set out the organization's framework for meeting its legislative and administrative obligations. Moreover, by establishing accountability and associated responsibilities, they provide the mechanism through which privacy protection is integrated into day-to-day operations.

The absence of well-defined policies may result in inconsistent and inadequate information-handling practices that place privacy at risk.

Recommendation:

Ensure that all employees comply with the departmental policy governing the use of privately-owned portable storage devices.

Management Response:

Accept the recommendation.

Action plan regarding prohibiting the use of privately-owned portable storage devices for the storage of personal information:

To address this recommendation, Statistics Canada will review its training and awareness material to raise the awareness of roles and responsibilities for both employees and managers in exercising the appropriate level of due diligence to not use privately-owned devices at work for storage of personal information.

As a complementary measure, Statistics Canada has deployed to date 800 laptops (in lieu of desktops) to offer mobility to those users who need it while ensuring personal information is securely stored. Statistics Canada has also launched a tablet trial which will offer a secure alternative for highly mobile users that have a business need to record notes that may contain personal information during meetings.

Completion date: December 18, 2015

TRAINING AND AWARENESS

Expectation:

Employees, including contract personnel, are aware of the acceptable uses of, and the associated risks surrounding, portable storage devices.

Observations:

Statistics Canada has implemented mandatory security awareness training for employees. The training highlights employees' obligation to comply with physical and IT security practices in place to protect confidential and other protected information. While it informs employees to report security breaches, it does not explicitly advise them to report lost or stolen portable storage devices (PSDs). In addition, the training is silent on the Department`s policy regarding the use of privately-owned devices.

The mandatory training is supplemented by communiqués regarding the acceptable use of PSDs.

When encrypted USBs are deployed, there is no requirement for users to sign an agreement outlining the terms and conditions governing the use of the device.

Consequence:

Compliance with the spirit and requirements of the Privacy Act depends largely on how well it is understood by those handling personal information.

In terms of the use of portable storage devices, employees must be aware of applicable organizational policies and procedures, and their roles and responsibilities in ensuring that these instruments function as intended. Without a clear understanding in this regard, there is a risk that employees will not exercise the appropriate level of due diligence in managing personal information stored on portable devices. This could result in a privacy breach.

Recommendation:

Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

Management Response:

Accept the recommendation.

Action plan regarding Training and Awareness related to the use of portable devices:

To address this recommendation, Statistics Canada will update the content of its mandatory Confidentiality Awareness computer-based training to include the following topics:

  • The requirement to report lost or theft of portable storage devices and why it is important
  • The requirement to not use privately-owned devices at work to record personal information and why it is important

For each USB device assigned to an employee with encryption, Statistics Canada will require electronic signature of an USB user agreement containing terms and conditions of use. The USB user agreement will be renewed annually for every USB device assigned to a user.

Target completion date: December 18, 2015

SECURITY INCIDENTS - PRIVACY BREACHES

Expectation:

Incident response procedures have been implemented to address data exposures (inappropriate disclosures of personal information) resulting from the loss or theft of portable storage devices.

Observations:

Procedures are in place to respond to incidents involving the loss or theft of a portable storage device.

The requirement to report IT security incidents is established in Statistics Canada's Directive on the Security of Sensitive Statistical Information, Policy on Privacy and Confidentiality, Security Practices Manual, and its Information and Privacy Breach Protocol.

If a security incident results in a privacy violation, Statistics Canada's privacy breach protocol is triggered. Key elements of the protocol are breach containment, evaluation (impact), notification and prevention.

Consequence:

An organization is accountable for protecting personal information under its control. In the event of a suspected or confirmed data loss, the organization has an obligation to investigate the occurrence. Incident response procedures are a key element of the administrative infrastructure for doing so.

In the absence of an established protocol for responding to a potential or real privacy breach, there is a risk that the impact will not be fully understood and minimized, and appropriate measures will not be implemented to mitigate the risk of a reoccurrence.

Recommendation:

Incident response procedures are in place to address inappropriate disclosures of personal information; therefore, no recommendation is required.

 

Date modified: