http://cnews.canoe.ca/CNEWS/Canada/2005/02/15/931808-cp.html February 15, 2005 OTTAWA (CP) - The personal information of Canadians is at risk due to "significant weaknesses" in government computer security that leave the digital door open to hackers and thieves, says the auditor general. In a highly critical report Tuesday, Sheila Fraser warns that federal agencies have failed to keep up with the demands of the electronic age, making sensitive files vulnerable. "If security weaknesses allowed someone to access a database or confidential information, Canadians' trust in the government would be greatly eroded," the report says. "Further, if a citizen's privacy were violated because of a failure to keep confidential information secure, it could cause that person hardship and seriously undermine the government's efforts to deliver services to Canadians electronically." Fraser told a news conference she was disappointed the government doesn't meet its own minimum standards for information technology security, even though most of them have been well known for more than a decade. The auditor general likened it to a homeowner leaving the back door open - eventually someone will break in. "Government must fill in the gaps," she said. "There are weaknesses in the system." But Fraser stopped short of urging Canadians to avoid using online federal services, saying she would continue to file her tax return by computer. Information security is becoming increasingly important given that the federal government wants Canadians to have electronic access to key information and transactions by the end of the year. Growing use of the Internet, portable computer devices and wireless technologies have made access to data easy and affordable, the report notes. "This environment provides more opportunities for problems to occur, such as theft of data, malicious attacks or criminal actions." Treasury Board President Reg Alcock, minister responsible for government security policy, acknowledged the concerns Tuesday but said it's a "tough area for any organization, because the technology's always changing," requiring ongoing vigilance. New Democrat MP Peter Julian said the government doesn't seem to be taking the auditor general's points as seriously as it should. Fraser found the Treasury Board Secretariat was "not adequately fulfilling its role of monitoring and overseeing" the state of security across the government. Last May, the secretariat surveyed 90 departments and agencies on their security practices. Of the 46 that responded, only one agency met the basic requirements of the government security policy and related standards. The survey found: * Sixteen per cent of departments didn't even have an information security policy. Of those that did, 33 per cent indicated it hadn't been formally approved by management. * More than one-quarter of departments didn't have a policy requiring a plan to keep critical systems and services running in the event of a major attack or power failure. Other internal studies flagged similarly worrisome problems. "Vulnerability assessments, conducted in departments and agencies over the last two years, have revealed significant weaknesses that, if exploited, could result in serious damage to government information systems," says Fraser's report. Despite the potential for difficulties, many departments and agencies had yet to adequately assess threats and risks to their computer systems. In addition, there was often lax control of access to sensitive data and programs by people without authority to see it, the report says. In some cases, computer passwords were not set properly, and most organizations had no comprehensive program for monitoring who was using their digital networks. Fraser says there have been some advances since 2002 when she last examined these issues, but overall the government has made "unsatisfactory progress." Reasons for the continuing gaps include lack of money and people, as well as little interest in information technology security among senior management, the report says. Fraser's recommendations include preparation of action plans indicating when each department and agency intends to comply with security requirements. The report says the Treasury Board Secretariat has "responded positively" to the recommendations and, in some cases, is already taking action. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Wed Feb 16 2005 - 09:07:01 PST