Shared Services Canada offers opportunity for effective information system security – Canadian Government Executive

NEWS

SEARCH

Security
May 7, 2012

Shared Services Canada offers opportunity for effective information system security

The announcement regarding the establishment of Shared Services Canada (SSC) was guardedly encouraging news for asset protection and security (AP&S) specialists concerned with ensuring the confidentiality, integrity and availability of sensitive government information assets. The streamlining of email systems, data centres and network services looks to improve operational support and system up-times.

The streamlining also presents an opportunity to implement an enterprise-level information system (IS) security protection program that embodies the core AP&S principles of centralized control/decentralized execution, trusted all-round defence, and consistency of security control implementation. The SSC could provide the required centralized direction and oversight of compliance to participating departments that, in turn, would be entrusted with implementation of prescribed safeguards.

But if the opportunity is to be exploited fully, we must get it right from the outset. IS security is more expensive to retrofit than to build, and retrofit solutions are often less effective. What follows are suggestions to ensure that the SSC implements a cost-effective and appropriate cyber-protection posture.

These suggestions are interconnected and mutually supporting, as any IS program should be.

Make participation mandatory and “free.” Any exception to a program introduces vulnerabilities that are exploitable by a threat. Inconsistencies in the application of baseline security safeguards, ineffective inventory, configuration and change management, and rogue programmers can be curtailed by demanding that departments and agencies processing sensitive electronic information be served by SSC. These services should be provided without cost recovery or other cumbersome administrative overhead, or else departments may reconsider utilizing shared services, even in a climate of human resource cuts. Benefits accrued to the departments, such as off-loading the majority of their disaster recovery planning, system monitoring, incident management, and investigation of security incidents, must be stressed. SSC should be considered simply a transparent government resource to all federal entities.

Select and employ the best IS security practitioners. Given the consequence of breaches on an enterprise system, the most competent, trained and experienced practitioners should be recruited to join SSC’s IS security group. This cannot be a place for managers to unload lower-performing staff; rather, the security group should be seen as specialists, chosen primarily on merit, with professional certifications and advanced AP&S education as desirable selection criteria. Candidates’ capability and teamwork skills must prevail in the selection process. Strong leadership by IS security specialists must be incorporated at managerial levels.

Launch a cyber-protection project. Implementing ad hoc, fragmented IS security safeguards introduces additional vulnerabilities to the system and imperils all-round defence. A separate, formal project within SSC must be launched to produce an effective supporting IS security program that features appropriate, integrated, mutually supporting technical and non-technical safeguards. This project requires its own sponsor, project plan, skilled project management and AP&S resources, funding and engaged operational stakeholders. In this manner, when the architecture and infrastructure are being developed, IS security can be planned, implemented and certified to coincide with handover to operations.

Accredit the information systems. The process of certification and accreditation (C&A) to industry standards and government policy is the most effective method of ensuring that IS security risks are mitigated and managed throughout the system lifecycle. However, the C&A process takes planning, senior management commitment to assume the residual risk under accreditation, and the efforts of highly-capable IS security specialists to maintain accreditation thereafter. All connecting departmental systems must meet the rules of connectivity prescribed in accredited SSC systems.

Establish and maintain a comprehensive oversight program. Paraphrasing Thomas Jefferson, the cost of protection is eternal vigilance. Maintenance of accreditation of the SSC systems, and continued compliance with the rules of connectivity by participating departments, must be confirmed periodically by third party audits and inspections. Self-audits are of questionable value in IS security, especially when senior management’s bonuses are at stake. To ensure consistent implementation of safeguards, trusted oversight “on the ground” must be conducted.

Exploit trusted volunteers. Utilizing volunteers is an established AP&S practice in the areas of first responders (police, fire, medical). This model could be extended to IS security, including volunteers as trusted advisors, subject matter experts, or oversight audit team members. Community-minded retirees, academic researchers, and college or university students on work placements are potential participants, and may lead to other cost-effective ways to achieve effective cyber-protection.

In summary, the new Shared Services Canada represents a golden opportunity to implement a paradigmatic IS security program, but it will work only if we get it right from the start, using all available resources to establish a consistently applied program of all-round defence of our valued information assets.

 

Wayne Boone is the coordinator and principal instructor of the Infrastructure Protection and International Security Program at Carleton University (wayne_boone@carleton.ca).

About this author

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Security
 
CBC deserves full credit for exposing the presence of IMSI catchers...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Over the decades, technology has been grafted into governments around the...
 
In this episode, J. Richard Jones talks about being candid about...
 
Criminals have reportedly threatened to take over 250 million Apple accounts...
 
In this episode, hear more about how Canada is a prime...
 
While the incoming administration of President-elect Donald Trump is being buffeted...
 
In the world that we are living in today, free and...
 
The RCMP adopted a new media strategy earlier this month by...
 
What would tomorrow’s cybersecurity look like? That’s an intriguing question to...
 
Terrorism operates with deadly regularity. In June 2016, a gunman who...
 
Just as the federal government has begun consultations on cyber security,...
 
Efforts by the government to counter the radicalization of young Canadians...
 
Canadian healthcare organizations and businesses in the financial industry are the...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
The challenge is clear: a fast-paced industry pressures organizations to simultaneously...
 
As populations grow and age, the demand for services increases. As...
 
By Michael Murphy Not all assets can and should be equally...
 
Please to view this Content. (Not a member? Join Today! )...
 
Now more than ever, organizations in both the public and private...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
As the battle between the FBI and Apple continues to escalate,...
 
Please to view this Content. (Not a member? Join Today! )...
 
Meet Bob Heart.  He is an outstanding employee who works hard...
 
A new study released yesterday, Securing the C-Suite, Cybersecurity Perspectives from...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Yesterday, Ontario Supreme Court Justice John Sproat ruled that the Peel...
 
I wrote about accountability more than a year ago. Recently, a...
 
Intelligence agencies have had widespread and long-running programs to gather, analyze...
 
What concerns me is whether or not we’ve got the balance...
 
One of the consequences of the Information Age in which we...
 
In March of 2011, the east coast of Japan was rocked...
 
BYOD is hot! But is it for you? If yes, which...
 
Protecting critical infrastructure from cyber threats is the shared responsibility of...
 
In numerous interviews with senior military commanders over the past several...
 
In early February, James R. Clapper, the U.S. director of national...
 
The widespread adoption of mobile devices as enterprise-level tools is occurring...
 
CGE Vol.13 No.2 February 2007 Public security, once a task relegated...
 
CGE Vol. 14 No.4 April 2008 In recent years, policy makers...
 
L’univers de la sécurité des TI évolue rapidement. À mesure que...
 
The world of IT security is rapidly evolving. As quickly as...
 
Cyber attacks don’t have to look highly sophisticated. Hackers are purposely...
 
The announcement regarding the establishment of Shared Services Canada (SSC) was...
 
There was probably a day in spring of AD 72 that...
 
The changing face of public and personal privacy in the face...
 
What role should governments and public servants play in safeguarding personal...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
CBC deserves full credit for exposing the presence of IMSI catchers...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.