Cybersecurity: What if the federal Department of Public Safety has been lax?
Recently, a published report revealed that the federal Department of Public Safety poses a serious problem in terms of organization and compliance with computer security rules.
The administration would then be "lax" when using external device in media.
This article will also interest you: Computer security and human beings
"The federal Department of Public Safety intends to encrypt all data stored on desktops and laptops and disable all default USB ports when a software upgrade is completed in the department," the report said.
The intriguing part of the same report states that some employees who were no longer part of the department in question "still had privileged access to the network" while "some current employees have unnecessary administrative access to mission-critical applications."
It is following an audit carried out during last April is made public 11 July that the report was published
The little-noticed internal audit was completed in April and made public in July.
For his part, the author of the report advises to make several improvements to reassure the security of the department's computer systems. An administration that is responsible for most security-related institutions, such as the RCMP, the Canadian Intelligence Service or the Parole Board of Canada Correctional Service
It was after the arrest of the former DIRECTOR of the RCMP that report was made public. This is Cameron Jay Ortis, a former officer of the Royal Canadian Mounted Police.He was charged with disclosing secret information to a recipient who probably did not have the accreditation or even the right to do so. A disclosure that was made illegally. The investigation for the hypothesis of a foreign entity.
According to the audit report, there is no formal way for the ministerial administration to systematically identify, assess and analyze the risks that could be related to the security of all of their information technologies. The officials at the time had not thought instituted periodic reviews or even continuous monitoring of the whole has privileges to give access to the computer network.
For example, deleting an access when one leaves, you have them fill out a form. According to information received by inspectors, this form is rarely completed. Not to mention that the incidents in question were rarely followed when they involved technology services.
"The audit could not confirm that all computer security incidents were recorded and processed through appropriate channels to ensure that corrective action was taken in a timely manner. The report reads.
The report states that those directly involved in information technology management in the department were not adequately trained in the requirements for the processing of electronic files and the use of secure means of transmission.
"The transmission of sensitive PS information or documents to personal email addresses without additional protection such as encryption is also not monitored. "The report explains.
"The audit revealed that the Ministry of Public Safety does not keep records of the USB sticks that have been issued and that there are limited controls in place to identify if individuals are backing up sensitive information on a USB stick,"
"In addition, it does not retrieve USB sticks during security checks to examine their contents. There is therefore a risk that USB sticks may contain sensitive, unencrypted information that could constitute a security incident. the report read.
Faced with this situation, the ministry then proposes to encrypt all the data that will now be stored in the computers present in the offices of the ministry.
"Safety awareness and training must be conducted in a systematic and comprehensive manner to ensure that individuals are informed of their IT security responsibilities and maintain the knowledge and skills necessary to carry out their duties effectively," the report says.
Now access an unlimited number of passwords: