It’s a safe bet no organization anywhere can be 100 per cent secure. A constantly changing cyberscape helps guarantee this. It’s also why security and IT managers can never run and hide from risk management and threat assessment.
Among the many elemental, technical details of the federal government’s Management of IT Security (MITS) standard, one overriding theme has ruled them all: IT security is very much about making sure there’s good awareness of business risk management.
A key aspect to MITS, since its inception in May 2004, has been to get all the government’s business leaders on board. Assistant deputy ministers and deputy ministers have to be well aware of the risks around their program delivery and then translate that risk management into their IT security posture.
“MITS is founded fully on a risk management approach,” says Jim Alexander, the federal government’s deputy CIO. “It’s about dealing with this as a business risk management piece, as opposed to some technical thing and, ‘You better make sure nothing ever goes wrong.'”
More than 100 federal core public service departments and agencies are subject to MITS and every one is expected to comply with the standard by the end of next month.
But if senior management engagement and identifying the real business risk management presented challenges, the sheer volume of work towards compliance – and exactly what form that compliance would take – has proved daunting.
MITS is viewed by and large as a high-level document, at least as far as standards are concerned. It attempts to define the baseline requirements to achieve a minimum level of security, but details on how to actually implement some of the items are few and far between.
“As far as using MITS to help guide us to achieving security, it really is more of just a guideline than a standard for us,” says Paul van Gurp, IT security manager at the Office of the Superintendent of Financial Institutions (OSFI).
“I guess the grey area is what exactly MITS compliance means, and how do you know when you’re MITS-compliant?” he says. Resources for implementing MITS are also scarce, despite assistance from Treasury Board Secretariat, further guidelines from the RCMP and Communications Security Establishment (CSE), as well as proactive collaboration between departments and agencies.
Exactly how far departments implement MITS will be an internal decision for senior management, says Van Gurp, who describes full compliance as a high and lofty goal.
“Not all departments and agencies have the resources or the time to be able to do things like certification and accreditation of all their systems, and threat assessment and risk management.
“It’s one roadblock in MITS compliance for a lot of departments and agencies, including ours.”
To find and understand risks, Van Gurp says most government departments and agencies, as well as third-party vendors, look to the CSE and RCMP for standard methodologies of assessment and for recommendations to mitigate risk.
“Risk management typically means identifying your assets, the value and criticality of those assets, what the threat agents are and the likelihood of that threat agent affecting your organization’s assets,” he says.
“It’s the vulnerability and the likelihood that vulnerability will be exploited and the risk associated with all those factors.”
Alexander concedes MITS is a very detailed IT security standard comprising many elements, and there is no doubt about the scale of work involved in threat and risk assessments and certification.
“Across most of our programs, we are very dependent on some sort of IT support. And that does mean there’s quite a volume of work to do. IT security is something we’re taking very seriously as the Government of Canada, but so are a lot of other organizations, both public and private sector.
“And therefore there are scarce resources and there are often fairly urgent timeframes on some of them. In the end, it’s just sort of a risk management, and therefore there still are incidents to respond to, and to respond to effectively.”
The key thing, he stresses, is that MITS is a standard and Treasury Board expects departments and agencies to comply with it. “To keep compliant and to make sure we maintain the security posture we need, there’s going to be ongoing activity needed.”
As regulators of Canada’s financial institutions, and given some of the highly sensitive data that’s housed there, the OSFI is definitely among the more hard-pressed to adopt a tight security stance.
“Our standards are significantly higher than the requirements of MITS,” says Peter Pearson, an IT security infrastructure specialist at the OSFI. “And the sense I’m getting from peers at other agencies also is they’re not comfortable applying just the minimum.”
“With MITS compliance, it almost sounds like you have a start line and a finish line, and in December everyone can take a breather and just stop doing security, but obviously that’s not the case,” adds Van Gurp. “We’re always thinking of security. MITS outlines those base requirements, but we won’t stop considering ways to improve our security.”
For Internet security and the inspection of malicious code, the OSFI has been using appliances from Finjan Inc. since as far back as 2002. More recently, the agency has implemented a two-factor PKI authentication process and implemented full disk encryption on all workstations and laptops.
“There are a lot of different pieces we’ve put into place in advance of the deadline, but there’s always some uncertainty,” says Van Gurp. “It just depends on finding the right time, the right resources and having the internal discussions and agreements in place to make those things happen.”
Departments and agencies are individually accountable for the integrity of their program delivery, and therefore the IT security that’s underneath that, Alexander notes. Government units have twice had to undergo a self-assessment process against all the elements of MITS, in September 2005 and again 12 months later, and report back to Treasury Board on their progress and plans for compliance with MITS.
“It’s clear we need to address IT security in a very proactive way,” Alexander reiterates. “MITS is a very effective foundation, but we realized we wanted to move beyond just that, to develop an IT security strategy which addressed a number of other key aspects.
“As required, we’ll continue to refresh these standards to address emerging risks and trends.”