Treasury Board of Canada Secretariat
Symbol of the Government of Canada
Skip to content   Skip to institutional links

Common menu bar links

Breadcrumb Trail

Home  > Chief Information Officer Branch  > Service Improvement Initiative

Institutional links

Chief Information Officer Branch

Service Improvement Initiative


Versions


ARCHIVED - Performance Measurement for the Government On-Line Initiative


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.


 

Security

Indicator(s)

Use of the common infrastructure

Adequate steps by departments and agencies to ensure that transactions are secure

Citizens/clients perceive that on-line services are secure

Measurement Level and Technique

Measurement at the "whole of government" level using citizen/client feedback, and at the service level using self-assessments, client feedback, and tracking of how they engage the federal government

Primary tool(s)/data source(s)

1)   Omnibus surveys – includes, e.g., EKOS' Information Highway studies

2)   Secure Channel roadmap, outlining plans for the provision and use of Secure Channel services

3)   Departmental reporting on GOL plans and progress – the reporting includes two types of data related to security: data on what type of IM/IT infrastructure is required by which date; and information on threat risk assessment, certification and accreditation, and business continuity planning

4)   Discussions among departmental security coordinators and departments and agencies with a lead role in this area

Summary of results achieved in 2003

Mostly positive – Canadians have more confidence in governments than either the banks or the private sector in terms of offering safe on-line services. However, they have significantly more comfort in applying on-line for a program or service than for making an e-payment. The current take-up of on-line federal services also provides evidence of Canadians' increasing confidence – the proportion of clients who completed transactions on-line increased from 21% in 2002 to 24% in 2003. In general, departments and agencies are meeting the security expectations of their clients. A reliable "whole of government" incident handling process is in place to respond to external threats. The Secure Channel now offers authentication and e-payment services, both of which Canadians and businesses are using in increasing numbers. Secure Channel is developing and implementing services for which there is strong departmental demand, enabling the federal government to conduct secure on-line transactions with clients. Departments and agencies are at various stages in implementing the Government Security Policy, which requires threat and risk assessments and business continuity plans for federal services.

Raw data

 

 

Perceptions of on-line service delivery

  • Canadians' awareness of security related technologies is modest, but increasing (EKOS, 2003)
  • Canadians have more confidence in governments than banks or the private sector in terms of offering safe on-line services (EKOS, 2003)

–    62% agree (20% disagree) that governments would not offer the choice of doing things as filing taxes through the Internet unless it was safe to do so, up from 59% in 2002

–    In contrast, 59% agree (24% disagree) that banks would not offer the choice of banking on-line unless it was safe to do so, and 38% agree (39% disagree) that companies would not offer the choice of doing things such as buying products through the Internet unless it was safe to do so

  •  73% of Canadians have a moderate (58%) to high (15%) level of comfort with applying on-line for a federal program or service, up slightly from 71% in 2001; but only 37% have a moderate (27%) to high (10%) level of comfort with making an on-line payment to the federal government, up slightly from 35% in 2001 (EKOS, 2003)

–    Internet users have a higher level of comfort than Canadians in general – 60% of Internet users have a moderate (32%) to high (28%) level of comfort with providing their credit card number on-line in order to make a payment to the federal government

Security coordination

  • Incident handling – the ability to detect and respond to Internet viruses – is a major security issue; incidents such as Nachi, Blaster, and Sobig have the potential to make on-line services (i.e., their networks and/or systems) unavailable or untrustworthy if a reliable incident handling process is not in place
  • To ensure reliable incident handling, the federal government has developed, and is continually monitoring results from, a number of common/shared services, including:

–    Secure Channel Information Protection Centre (IPC)

–    PWGSC IPC

–    PSEP (formerly OCIPEP) Coordination Centre

–    Cyber Incident Coordination System triage unit

–    Alerts and advisories from PSEP and other government and non-government organisations

  • In addition to this, some departments and agencies have implemented their own incident handling processes

The common, secure infrastructure

  • 85 of 130 GOL services (65%) require strong authentication and security services to enable two-way transactions; this represents an estimated 15 million transactions by 2009-10
  • To date, the federal government's Secure Channel services include:

–    SCNet, which is advanced IP/VPNe network inter-connecting 130 departments and agencies, certified to "Protected A" and scaleable to "Protected B" (see the end of this section for definitions)

–    Security and authentication services, including ePass, which control access to on-line applications, protect privacy, and secure IT infrastructure from hackers

–    Payment services

  •  More than 115,000 ePasses have been issued since the launch of CCRA's "Address Changes On-Line" (September 2002) and HRDC's "Record of Employment on the Web" (May 2003), which are the first two services to use ePass for on-line registration and authentication

  • Almost 45,000 on-line credit card payments have been processed using the Secure Channel payment service since its launch (May 2003)
  • There is a strong demand for Secure Channel services: 29 departments and agencies (77 applications) indicate that they need the Common Registration Service in 2004, 22 departments (45 applications) that they need ePass, 18 departments (34 applications) that they need Digital Signature, and 18 departments (35 applications) that they need Encryption Services

Government Security Policy

  • Three of the most critical factors in IM/IT security are a Threat and Risk Assessment (TRA), a Business Continuity Plan (BCP), and Certification and Accreditation (C&A) of the service prior to implementation and operation (see the end of this section for explanations of these activities); these activities are mandatory under the Government Security Policy, which was updated in 2002, including for the Secure Channel
  • Departments and agencies are at various stages in implementing the Government Security Policy; more than 50% of GOL services reporting information have completed or are completing their TRA; less than 30% report that they have a BCP in place; GOL services have not consistently done C&A

–    There is some evidence suggesting that there is a lack of understanding of what is expected and, thus, that an awareness program and/or direct support may be required; training is either being set up, or is available for federal employees

–    Note that the Secure Channel has completed its TRA, BCP, and C&A

  • Related to the Government Security Policy, the Management of Information Technology Security Standard is currently available as a final draft; it includes such management controls as TRA, BCP, and C&A as well as technical and operational safeguards, which are defined in the context of the Protect-Detect-Respond-Recover cycle

Plans for improvement

 

  •  Incident handling across the federal government continues to evolve and improve; future plans include:

–    Enhancing the Secure Channel IPC

–    Building interoperability and coordination capabilities among the Secure Channel IPC, the PWGSC IPC, and PSEP (formerly OCIPEP)

–    Developing common analysis services and solutions with an infrastructure overlay that will assist departments and agencies in establishing or enhancing their own detect and respond capabilities

–    Developing an intrusion detection standard – if passed, Bill C14 will give departments and agencies the legal framework for intrusion detection, acknowledging the responsibility of the federal government both to securely manage their IM/IT assets and to respect individual privacy rights (note that while some guidance is currently available, the standard will not be finalised until Bill C14 is passed)

  • Departments and agencies will receive additional support through the completion of the following common/shared initiatives:

–    Detection, Analysis, and Response Infrastructure Model, led by PSEP, which will provide a comprehensive, secure infrastructure to support the detection, analysis, and response to cyber incidents within the federal government

–    Threat and Vulnerability Analysis System, led by CSE, which will support the identification of and response to current and emerging safety and security cyber threats, and improve the monitoring and mitigation of risks to federal services

–    Cyber Incident Coordination System, led by PSEP, which supports the coordination of incident management across the federal government

  • Future development of the Secure Channel will include services that enable secure interoperability across departmental applications (horizontal delivery), such as privilege management, e-forms, and service exchange
  • The federal government is currently developing additional security standards and guidance in support of the Government Security Policy to assist business owners and security professionals in identifying security requirements and in implementing appropriate controls and safeguards; they include: Business Continuity Planning Program Standard, IT Security Zones Baseline Security Requirements (a joint CSE and TBS initiative), Security Risk Management Standard, Incident Management Standard, Intrusion Detection Standard, and the overarching Management of Information Technology Security Standard; these standards and guidance will provide departments and agencies with a common set of tools and solutions, and will be available by the end of 2004-05
  • Specific security monitoring, including maturity assessment, is planned; this includes a departmental IT Security Self-Assessment Program to assess compliance with federal security policies and standards; subsequent "whole of government" analysis of the data will provide an overview of security compliance, and will indicate the presence of appropriate security processes, controls, resources, and solutions
  • The federal government is also putting increased emphasis on security awareness and training for all employees, not just security professionals; the goal is to help create and foster a culture of security across the government, ensuring a better and more consistent understanding of the security requirements and expectations

Terminology

"Protected A" – if its compromise could reasonably be expected to cause a low level of injury to private or non-national interests, for example, disclosure of an exact salary figure

"Protected B" – if its compromise could reasonably be expected to cause a medium level of injury to private or non-national interests; such information concerns an individual or an organisation, and is considered to be particularly sensitive

Security risk management

1.       Threat and Risk Assessment (TRA), including a Statement of Sensitivity (SOS) identifying and categorising assets in terms of their confidentiality, integrity, availability, and value based on the Operational Standard for the Identification and Categorisation of Assets

2.       Business Continuity Plan (BCP), including a Business Impact Assessment (BIA) documenting the relative priority/criticality of services and systems, and the maximum/minimum allowable down-time

3.       Certification and Accreditation (C&A) of systems and services, confirming that the security requirements have been fulfilled, and signifying that management has authorised the system or service for operation

4.       Vulnerability Assessments, which identify inherent vulnerabilities and recommend remedial action

5.      Active Defence, one based on the Protect-Detect-Respond-Recover cycle



Date Modified: 2004-10-19
 
Return to Top of Page
 Top of Page
Important Notices