The announcement regarding the establishment of Shared Services Canada (SSC) was guardedly encouraging news for asset protection and security (AP&S) specialists concerned with ensuring the confidentiality, integrity and availability of sensitive government information assets. The streamlining of email systems, data centres and network services looks to improve operational support and system up-times.
The streamlining also presents an opportunity to implement an enterprise-level information system (IS) security protection program that embodies the core AP&S principles of centralized control/decentralized execution, trusted all-round defence, and consistency of security control implementation. The SSC could provide the required centralized direction and oversight of compliance to participating departments that, in turn, would be entrusted with implementation of prescribed safeguards.
But if the opportunity is to be exploited fully, we must get it right from the outset. IS security is more expensive to retrofit than to build, and retrofit solutions are often less effective. What follows are suggestions to ensure that the SSC implements a cost-effective and appropriate cyber-protection posture.
These suggestions are interconnected and mutually supporting, as any IS program should be.
Make participation mandatory and “free.” Any exception to a program introduces vulnerabilities that are exploitable by a threat. Inconsistencies in the application of baseline security safeguards, ineffective inventory, configuration and change management, and rogue programmers can be curtailed by demanding that departments and agencies processing sensitive electronic information be served by SSC. These services should be provided without cost recovery or other cumbersome administrative overhead, or else departments may reconsider utilizing shared services, even in a climate of human resource cuts. Benefits accrued to the departments, such as off-loading the majority of their disaster recovery planning, system monitoring, incident management, and investigation of security incidents, must be stressed. SSC should be considered simply a transparent government resource to all federal entities.
Select and employ the best IS security practitioners. Given the consequence of breaches on an enterprise system, the most competent, trained and experienced practitioners should be recruited to join SSC’s IS security group. This cannot be a place for managers to unload lower-performing staff; rather, the security group should be seen as specialists, chosen primarily on merit, with professional certifications and advanced AP&S education as desirable selection criteria. Candidates’ capability and teamwork skills must prevail in the selection process. Strong leadership by IS security specialists must be incorporated at managerial levels.
Launch a cyber-protection project. Implementing ad hoc, fragmented IS security safeguards introduces additional vulnerabilities to the system and imperils all-round defence. A separate, formal project within SSC must be launched to produce an effective supporting IS security program that features appropriate, integrated, mutually supporting technical and non-technical safeguards. This project requires its own sponsor, project plan, skilled project management and AP&S resources, funding and engaged operational stakeholders. In this manner, when the architecture and infrastructure are being developed, IS security can be planned, implemented and certified to coincide with handover to operations.
Accredit the information systems. The process of certification and accreditation (C&A) to industry standards and government policy is the most effective method of ensuring that IS security risks are mitigated and managed throughout the system lifecycle. However, the C&A process takes planning, senior management commitment to assume the residual risk under accreditation, and the efforts of highly-capable IS security specialists to maintain accreditation thereafter. All connecting departmental systems must meet the rules of connectivity prescribed in accredited SSC systems.
Establish and maintain a comprehensive oversight program. Paraphrasing Thomas Jefferson, the cost of protection is eternal vigilance. Maintenance of accreditation of the SSC systems, and continued compliance with the rules of connectivity by participating departments, must be confirmed periodically by third party audits and inspections. Self-audits are of questionable value in IS security, especially when senior management’s bonuses are at stake. To ensure consistent implementation of safeguards, trusted oversight “on the ground” must be conducted.
Exploit trusted volunteers. Utilizing volunteers is an established AP&S practice in the areas of first responders (police, fire, medical). This model could be extended to IS security, including volunteers as trusted advisors, subject matter experts, or oversight audit team members. Community-minded retirees, academic researchers, and college or university students on work placements are potential participants, and may lead to other cost-effective ways to achieve effective cyber-protection.
In summary, the new Shared Services Canada represents a golden opportunity to implement a paradigmatic IS security program, but it will work only if we get it right from the start, using all available resources to establish a consistently applied program of all-round defence of our valued information assets.
Wayne Boone is the coordinator and principal instructor of the Infrastructure Protection and International Security Program at Carleton University (firstname.lastname@example.org).