Transport Canada hopes to improve risk management profile by planning some enhancements to its IT security training programs for all its employees.
The federal department is responsible for overseeing the flow of millions of dollars in goods and services across the border, and a big part of that job involves ensuring people and assets are properly protected, said Richard Ruta, director of IT/IM security and infrastructure planning at Transport Canada. At the same time, it is equally important that services be sustained despite any potential security threats, he added.
Ruta made his comments at last week’s GovSym, a public sector conference held in Ottawa and hosted by IT World Canada and founding sponsor Symantec.
Transport Canada already provided IT security training as part of new employee orientation, Ruta said. The plan now is to introduce a refresher about once every two years. Ruta is currently overseeing an initiative that could involve using technology as part of the process.
“We’re looking at computer-based training that could be pushed out and checked to ensure it has been completed,” he said. “We’re not trying to penalize people here, but we need to make sure the emphasis on proper security policies are well understood. Compliance is not discretionary.”
Ruta said Transport Canada has deliberately integrated IT security with information management policies in order to show that both elements are necessary for the successful operations of its services.
Rob Thorne, director of risk management and compliance at EDS, told GovSym that proper IT security depends in part on how well an organization can gauge its “risk appetite” related to various threats. For example, some risks may require an organization to terminate a certain activity. In other situations, it may be possible to transfer the risk onto a person, department or third party who can better handle it. Risks can also be treated and effectively dealt with, or simply accepted if the potential outcome isn’t too severe.
All these variables become critically important in the public sector, Thorne said, which Symantec has indicated represents the second-largest target for IT security attacks. “Threats are becoming much more state-sponsored,” he said.
Ruta said Transport Canada is very careful to follow federal government guidelines such as creating Statements of Sensitivity (SoS) that becomes part of the system development process and looks at issues around access. The department tries to look at everything under its purview to see what should be considered unclassified, protected or classified, he said.
A more challenging risk, perhaps, is that posed by the increased use of mobile technologies such as laptops or thumb drives which store confidential data. “Employees going home and working on these things on their home computers could bring back malware,” he pointed out.
Ruta did not say what kind of computer-based training tools Transport Canada was considering or what kind of a timeline would be involved in rolling it out.