Internal Audit: Information Management Privacy and Compliance

Please note that under the Access to Information Act, a limited amount of text within this document may not be disclosed, and will be shown as [*].

 

Office of the Public Sector Integrity Commissioner (PSIC)

Internal Audit: Information Management Privacy and Compliance

 

April 11, 2014 - Final

 

RCGT Consulting Inc.
Dedicated to federal government - from coast to coast to coast

 

1. Executive Summary
  1.1 Audit Objectives and Scope
  1.2 Summary of Observations and Recommendations 
  1.3 Conclusion
2. Detailed Audit Report
  2.1 Introduction and Background
  2.2 Focus of the internal audit
  2.3 Observations
    2.3.1 Governance
    2.3.2 Internal Controls
    2.3.3 Monitoring and Oversight
  2.4 Conclusion
Appendix A
Appendix B

 

1. Executive Summary

1.1 Audit Objectives and Scope

The objective of this audit was to provide assurance on the adequacy and effectiveness of information management and privacy practices in place to support legislative and policy compliance requirements.
The audit focused on the operational activities related to the mandate of PSIC, as they pertain to the life cycle of information management and privacy for case files. The activities in scope included the intake/analysis, investigation, case report and archive/disposition processes. The audit covered a two (2) year period from April 1, 2012 to March 31, 2014.

 

1.2 Summary of Observations and Recommendations

We identified a number of positive findings as well as opportunities for improvement, which are summarized below and further detailed in section 2.3.

PSIC has a suite of IT policies and procedures in place which were found to be compliant with the Public Servants Disclosure Protection Act (PSDPA), and mostly aligned to the related Treasury Board (TB) information management and privacy policies. Information management and privacy controls are designed to help mitigate the risk of loss of information /confidentiality. Finally, controls related to file room access were recently improved, as they further limit the movement of and access to sensitive files.

Pertaining to opportunities for improvement and recommendations they are classified and prioritized according to the impact on the organization (high, medium or low as defined in Appendix B – Findings Rating Scale). During our audit, we noted four (4) key observations:

 

Key Observations Impact Assessment Recommendation Report Section
High Medium Low
1. Training and awareness   x   A 2.3.1
2. Policies, directives and procedures     x B 2.3.1
3. Internal control design, effectiveness and access controls   x   C 2.3.2
4. Monitoring and oversight   x   D 2.3.3

 

Our findings and recommendations are presented below by level of impact on PSIC.

Key Observation 1: Information Management Training and Awareness

There is no standardized/formal information management and privacy training provided to PSIC employees. This has led to an inconsistent understanding of information management and privacy protocols at PSIC.

Recommendation A:

PSIC should develop and administer ongoing training on information management and privacy risks and best practices.

 

Key Observation 2: Policies, Directives and Procedures (further detailed in section 2.3.1)

The position of the Department Security Officer was not identified in PSIC's organizational structure nor was it assigned to a PSIC employee in internal documents. In addition, Record disposal processes have not been formally defined or documented as prescribed by the TB Directive on Record Keeping.

 

Recommendation B:

PSIC should update its policy suite by:

  • Formalizing and documenting the PSIC Department Security Officer; and
  • Developing disposal procedures and practices

 

Key Observation 3: Internal control design, effectiveness and access controls

 

Control Design

We observed the following opportunities for improvement regarding the design of controls:

  • Documentation received is not logged and scanned during the investigation process;
  • Devices used by investigators to record interviews with disclosers and persons of interest are not password protected; and
  • There is no prescribed T-Drive structure and document naming convention.

Control Effectiveness

The testing of a sample of case files identified the following deficiencies:

  • Incomplete reception log; not all documents received were included in the log book;
  • Incomplete documentation in the CMS system; not all documents received were scanned or logged in CMS; 

[*]

 

 Access Controls

While there is a process in place to grant and revoke CMS access, guidelines for establishing which access should be granted by role are not documented. The current process of granting and revoking access is dependent on an administrative assistant's knowledge of traditional access levels. This presents a corporate knowledge risk, should the Deputy Commissioner's Administrative Assistant depart from the organization.

Recommendation C:

PSIC should strengthen the design and effectiveness of information management and privacy controls with a focus on:

  • Defining and strengthening controls in the areas of receipt of information, password protection and T-Drive structure and access controls; and
  • Implementing quality assurance measures to help ensure established processes and controls are being adhered to.

 

 

Key Observation 4: Monitoring and Oversight

Monitoring of information management at PSIC is a shared responsibility. PSIC's policies and directives state that the Canadian Human Rights Commission (CHRC) is responsible for monitoring IM/IT resources, and PSIC is responsible for monitoring cases and information management activities.

While CHRC responsibilities are documented in PSIC internal policies and directives, the memorandum of understanding (MOU) between the two organizations does not clearly outline expected CHRC monitoring responsibilities. For example PSIC policies identify CHRC as responsible to actively monitor the use of IM/IT resources; however this is not stated in the MOU. If monitoring requirements and expectations are not fully defined in the MOU with CHRC, information and privacy breaches may not be detected.

Monitoring responsibilities specific to internal threats have not been identified. As a result, suspicious activities from within the organization may be undetected resulting in the loss of information or breach of privacy.

Additionally, there was no evidence of PSIC monitoring activities related to case and information management activities. As a result, PSIC may not be aware of policy or privacy deviations that could lead to information loss or breach of confidentiality.

 

Recommendation D:
PSIC should consider:

  • Updating the MOU with CHRC to reflect expected roles and responsibilities captured in the internal policies and directives; and
  • Establishing general monitoring procedures as well as developing controls to help prevent the risk of internal threats.

 

1.3 Conclusion

Overall, PSIC practices were adequate to support legislative and policy compliance requirements. We identified robust information management and privacy policies, directives and procedures that were generally aligned with central agency requirements. However, there was a lack of formal information management and privacy training that has led to inconsistent practices across PSIC.

Information management and privacy controls have been defined. Key controls include independent file reviews to ensure completeness and presence of final documents and a defined process describing granting and revoking of access procedures and controls. Opportunities for improvement were identified in the areas of tracking information received, password protecting recording devices and standardizing the T-Drive structure. [*]

Monitoring and oversight procedures were limited and require attention specifically in the areas of defining CHRC's monitoring responsibilities and developing monitoring activities against internal threats.

 

 

2. Detailed Audit Report

This section presents detailed findings from the Information Management Privacy and Compliance audit. Findings are based on the evidence and analysis from our initial risk analysis and detailed audit.

2.1. Introduction and Background

The Office of the Public Sector Integrity Commissioner ("PSIC") was established to administer the Public Servants Disclosure Protection Act ("PSDPA", the Act), which came into effect in April 2007. PSIC, which is led by a Commissioner who reports directly to Parliament, independently assesses cases of disclosures of wrongdoing and complaints of reprisal.

When a case confirms wrongdoing, the Commissioner communicates findings through a report to Parliament which includes recommendations to Chief Executives of the organization where wrongdoing occurred. When reprisal is confirmed, the Commissioner can apply to the Public Servants Disclosure Protection Tribunal, which has the authority to determine if reprisals have taken place and to recommend appropriate remedial and disciplinary action. Reprisal is defined by the PSDPA as any adverse act taken against someone because he/she made a disclosure of wrongdoing or participated in an investigation. The Commissioner exercises exclusive jurisdiction over the review, investigation and resolution of reprisal complaints.

By law, federal institutions must limit their collection of personal information which directly relates to an operating program or activity of the institution. Once collected, the federal institution must also manage information with care and consideration. In order to comply with the Act and its supporting policies and directives, federal institutions are required to have sufficient policies and practices in place to protect personal information under its care and control.

The Information Management Privacy and Compliance audit was approved through PSIC's Risk-Based Audit Plan. The Risk-Based Audit Plan highlighted the requirement to assess and provide assurance on the effectiveness of governance, risk management and internal controls that support proper information management to help ensure confidentiality.

The information management life cycle can be illustrated in the following diagram:

Graphic depicting information management life cycle

 

2.2. Focus of the Internal Audit

The objective of the audit was to provide assurance on the adequacy and effectiveness of information management and privacy practices in place to support legislative and policy compliance requirements.
The audit focused on the operational activities related to the mandate of PSIC, as they pertain to the life cycle of information management and privacy for case files. The activities in scope include the intake/analysis, investigation, case report and archive/disposition processes. The audit covers a two (2) year period from April 1, 2012 to March 31, 2014.

Corporate, General Inquiries (GI), Legal Aid Request (LAR), ATIP, and Outreach processes/activities were excluded from the audit scope. The inherent risks within these processes were deemed low due to the reduced frequency of activities that could result in compliance, safeguarding and capacity & continuity risk.

 

2.3. Observations

Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit. Observations are presented below by line of inquiry. Please refer to Appendix A for the detailed list of lines of enquiry, audit criteria and sub-criteria.

 

2.3.1. Governance

Policies, Directives and Procedures

PSIC has developed IT policies, directives and procedures which are mostly aligned with PSDPA and related TB information management and privacy policies. Internal policies, directives and procedures include:

  • PSIC IT Security Policy
  • PSIC IT Security Directive
  • PSIC Operation Manual
  • Departmental Security Policy
  • Information Management Business Rules

As indicated in TB guidance documents, the PSIC policy suite identifies the need for a Department Security Officer responsible for establishing privacy practices, security clearance level requirements for employees and information management security monitoring protocols .

The position of Department Security Officer was not identified in PSIC's organizational structure. Discussion with management identified that the Executive Director acts as the Department Security Officer and is responsible for information management privacy. However, this is not formalized, as internal documents reviewed did not identify the Department Security Officer within PSIC.

Although information management policies, directives and procedures have been developed and implemented we identified additional areas for improvement. Record disposal processes have not been formally defined or documented as prescribed by the TB Directive on Record Keeping. The lack of formal guidance could result in inconsistent disposal practices.

 

Roles and responsibilities

Roles and responsibilities for employees working in operations are defined in their respective job descriptions and in the "Intake, Inquiries and Investigations Manual". Operations employees include all staff working on case files, as noted below:

  • Analysts
  • Investigators
  • Case Analysis Manager
  • Director of Operations
  • Legal Counsels
  • Deputy Commissioner
  • Commissioner

Documented roles and responsibilities include information management privacy requirements.

In line with TB policies, PSIC's internal policy suite describes the roles and responsibilities of the Department Security Officer. Due to the small size of the department, PSIC's policies and directives delegate certain responsibilities from the Department Security Officer to the IM/IT team of the Canadian Human Rights Commission (CHRC). A memorandum of understanding (MOU) between PSIC and CHRC identifies CHRC as the provider of information technology, information management and administrative services. The role and responsibilities of the Department Security Officer is detailed below.

Departmental Security Officer:

According to PSIC's IT Security Policy and Departmental Security Policy, the Department Security Officer is responsible for managing security issues and monitoring information management security. The Department Security Officer investigates suspected security incidents to determine potential vulnerabilities and ensure appropriate corrective actions are taken.

Information Management Training and Awareness

Periodic bulletins and information sessions are organized during the year to inform PSIC employees of information management and privacy risks and best practices. Examples include:

  • Distribution of informative flyers on the protection and manipulation of information according to document classification;
  • Distribution of a document titled "how to protect yourself online", which included information confidentiality and privacy; and
  • Emails reminding employees to lock all cabinets and computers when away from their desks when contractors are working in the office.

However, there is no standardized/formal information management and privacy training provided to PSIC employees, nor is there a mechanism in place to track training. The lack of standardized information management and privacy training has led to an inconsistent understanding of information management and privacy protocols at PSIC, particularly in the areas of:

  • Working with original or copies of documents (document integrity);
  • Uploading documents into Case Management System (CMS) (e.g. all versions vs. final version);
  • Tracking documents requested and received; and
  • Disposal of documents.

This lack of standardized, formal training pertaining to information management and privacy protocols could result in non-compliance with document integrity and chain of custody requirements.


Recommendation A (Medium Impact)

PSIC should develop and administer ongoing training on information management and privacy risks and best practices.

 

Management Response and Action Plan:
We accept this recommendation and an in-depth action plan will be developed to integrate this recommendation into PSIC standard procedures, which will then become part of the Operations Manual.

 

Recommendation B (Low Impact):

PSIC should update its policy suite by:

  • Formalizing and documenting the PSIC Department Security Officer; and
  • Developing disposal procedures and practices.

 

Management Response and Action Plan:

PSIC agrees with the recommendation and will formalize and document the PSIC Department Security Officer in consultation with CHRC. PSIC will develop disposal procedures and practices.

 

2.3.2 Internal Controls

Well-designed and effective information management and privacy controls help prevent the risk of loss or stolen information. Key information management controls throughout PSIC's case file processes were identified and tested.

There are two (2) potential processes that a case file may go through. The first is the case analysis process, where an analyst reviews the file to assess if the evidence provided justifies further investigation. If the evidence is deemed sufficient, the file moves onto the second process, which is investigation. The investigation process gathers evidence to prove or disprove the validity of a set of allegations.

Adequacy of Control Design

The design of information management and privacy controls was partially adequate throughout the case analysis and investigation processes. Good practices included independent file reviews to ensure completeness and presence of final documents and a defined process describing granting and revoking of access procedures and controls. Opportunities for improvement include:

  • The analyst is required to document all information that is received during the case analysis process. However, if additional documentation is received during the investigation process, the investigator is not required to scan the documents on the T-Drive and upload them into CMS. This may lead to inconsistencies in the recording of documentation received during investigations, which can impact the availability of information and the result of investigations.
  • Devices used by investigators to record interviews with disclosers and persons of interest are not password protected, which can present a risk to the confidentiality of the content if the recorder is lost or stolen.
  • There is no prescribed T-Drive structure and document naming convention, which can enable operation staff to systematically store documents and working papers in a standard format.

Control Effectiveness

We assessed whether information management and privacy controls were operating as intended. In summary, these controls included:

  • Existence and completeness of the reception log, including all documents received by mail, or fax;
  • CMS file summary, a report from the electronic file system, outlining a log of documentation requested, received and dates;
  • Review of the physical file (in comparison to the CMS file), reconciling that both files included:
    • Documentation received;
    • Communications sent or received;
    • Final, approved reports; and
    • Tracking of the physical file, i.e. documentation of who is in possession of the file at all times.

During the audit, eighteen (18) case files were sampled. Overall, information received during the case analysis process was appropriately recorded and stored. However, a number of control weaknesses were noted, as summarized below. [*]

  • Incomplete reception log; not all documents received were included in the log book;
  • Incomplete documentation in the CMS system; not all documents received were scanned or logged in CMS;

[*]


Access Controls

Access to the electronic file system, CMS, is managed by the Deputy Commissioner's Administrative Assistant where access is granted and revoked through the receipt of an email notification from corporate. Changes are made in the event of a new hire, departure or change in positions. For the most part, access to CMS is granted to operation employees, legal, the ATIP consultant and select corporate staff (Executive Director, Policy Analyst and some administrative assistants). Access and action restrictions are based on specific roles and business requirements.

Access to the hard copy file room is limited to:

  • The Case Analysis Manager
  • The Director of Operations
  • 3 administrative assistants
  • The Executive Director

There was no evidence to suggest that logical access to CMS is reviewed on a regular basis. However, our review of the existing access levels against specific roles and business requirements indicates that access is reasonable.

While there is a process in place to grant and revoke CMS access, guidelines for establishing which access should be granted by role are not documented. The current process of granting and revoking access is dependent on an administrative assistant's knowledge of traditional access levels. This presents a corporate knowledge risk, should the Deputy Commissioner's Administrative Assistant depart from the organization.

Recommendation C (Medium Impact):

PSIC should strengthen the design and effectiveness of information management and privacy controls with a focus on:

  • Defining and strengthening controls in the areas of receipt of information, password protection and T-Drive structure and access controls; and
  • Implementing quality assurance measures to help ensure established processes and controls are being adhered to.

Management Response and Action Plan:
We accept this recommendation in part only. The nature of PSIC's various working component that require access to the information located on the T-Drive, the level of security associated with PSIC personnel coupled with our current security posture does not require a profound access control mechanism to be put into place. We agree that some control measures as well as quality assurance are required and will become part of a forthcoming action plan once the required access parameters have been identified.

 

2.3.3 Monitoring and Oversight

Monitoring of information management at PSIC is a shared responsibility. PSIC's policies and directives state that CHRC is responsible for monitoring IM/IT resources, and PSIC is responsible for monitoring cases and information management activities.

System monitoring

The MOU between PSIC and CHRC states that services from CHRC will include the management of assets and backups, monitoring of firewalls and the network and security screening of individuals working at PSIC. The CHRC monitoring responsibilities help detect IT security incidents and provide coverage against possible external information privacy threats to PSIC.

While CHRC responsibilities are documented in PSIC internal policies and directives, the MOU between the two organizations does not clearly outline expected CHRC monitoring responsibilities. For example PSIC policies identify CHRC as responsible to actively monitor the use of IM/IT resources; however this is not stated in the MOU. If monitoring requirements and expectations are not fully defined in the MOU with CHRC, information and privacy breaches may not be detected.

Additionally, monitoring responsibilities specific to internal threats have not been identified. As a result, suspicious activities from within the organization may be undetected resulting in the loss of information or breach of privacy.

File Information Monitoring

PSIC is in the process of developing a quality assessment process to ensure files are adequately maintained, documented and aligned with PSIC operational requirements. During the course of the audit, there was no evidence of monitoring activities related to case and information management activities. As a result, PSIC may not be aware of policy or privacy deviations that could lead to information loss or breach of confidentiality.

Recommendation D (Medium Impact):

PSIC should consider:

  • Updating the MOU with CHRC to reflect expected roles and responsibilities captured in the internal policies and directives; and
  • Establishing general monitoring procedures as well as develop controls to help prevent the risk of internal threats.

Management Response and Action Plan:
PSIC agrees with the recommendation and will update the MOU accordingly. Discussion will take place with CHRC regarding the general monitoring procedures.

 

2.4 Conclusion

Overall, PSIC practices were partially adequate to support legislative and policy compliance requirements. We identified robust information management and privacy policies, directives and procedures that were generally aligned with central agency requirements. However, there was a lack of formal information management and privacy training that has led to inconsistent practices across PSIC.

Information management and privacy controls have been defined. Key controls include independent file reviews to ensure completeness and presence of final documents and a defined process describing granting and revoking of access procedures and controls. Opportunities for improvement were identified in the areas of tracking information received, password protecting recording devices and standardizing the T-Drive structure. [*]

Monitoring and oversight procedures were limited and require attention specifically in the areas of defining CHRC's monitoring responsibilities and developing monitoring activities against internal threats.

 

Appendix A - Audit Criteria

Line of Enquiry Audit Criteria Audit Sub-Criteria
Governance 1. Governance practices are in place which supports the achievement of compliance with the prescribed governing and operating framework.

1.1.   Internal policies and guidance exist and are updated periodically to align with and reflect requirements.

1.2.   Accountabilities, roles and responsibilities are clearly defined and understood by individuals responsible for information management.

1.3  Individuals handling information are adequately trained on the requirements over information management: confidentiality and privacy.

Internal Control 2. Key controls over information management are designed and effective to ensure compliance with requirements over privacy and confidentiality.

2.1    The information management control framework is adequately designed to ensure compliance with legislation, policies and procedures.

2.2    Controls are adequate to ensure timely, accurate, and complete recording of information management.

2.3    Access controls are adequate to prevent and detect mishandling of information (electronic and physical).

2.4  CHRC, IT Service provider has adequate controls in place to ensure security and protect.

Monitoring and Oversight 3. Monitoring and oversight activities are designed to mitigate risk.  3.1  Compliance with Information Management is subject to risk-based oversight and Quality Assurance

 

Appendix B - Findings Rating Scale

Our findings are classified and prioritized according to impact on the organization using the following definitions:

Findings Legend
Impact Rating Explanation
High

 

  • Must be addressed in short term
  • Findings could result in significant risk exposure (e.g. reputational, financial) or impact the ability of achieving objectives
Medium

 

  • Should be addressed
  • Findings could result in risk exposure or financial impact
Low

 

  • Changes are desirable, but not essential
  • Findings identify areas for improvement

 

[*]