Summary: what we found in our audits
Systems
The Ministry should improve their general computer controls by:
• developing and documenting Information Technology security policies—see page 128.
• documenting and testing disaster recovery plans for all Information Technology systems—see page 129.
• improving access controls over their information systems—see page 130.
• developing and documenting Information Technology security policies that consider judicial needs for the Civil and Sheriff Entry system—see page 131.
Performance reporting
We issued unqualified auditor’s reports on the financial statements of the Ministry and the Office of the Public Trustee, Estates and Trusts. We found no exceptions when we completed specified auditing procedures on the Ministry’s performance measures.
Overview of the Ministry
The Ministry’s 2006–2009 business plan describes four core businesses:
• Prosecutions
Four core
businesses • Courts
• Legal and strategic services to government
• Justice services to Albertans
Ministry received
$143 million Total revenue for the Ministry was $143 million in 2006–2007. The Ministry’s main revenue sources are:
(millions of dollars) Fines and related late payment penalties $ 65
Fees 37
Transfers from the federal government 13
Maintenance enforcement program 11
Motor vehicle accident recovery 8
Volume 2—Audits and recommendations Justice and Attorney General
Ministry spent
$331 million The total operating expenses for the Ministry were $331 million in 2006–2007, comprised mainly of:
(millions of dollars) The Ministry’s Court Services division $ 142
Legal services 91
Support for legal aid 43
Motor vehicle accident claims 26
Office of the Public Trustee 11
Medical examiner 6
Ministry manages
trust funds The Ministry manages trust funds of approximately $548 million. This amount includes $473 million administered by the Office of the Public Trustee.
For more detail on the Ministry, visit its website at www.gov.ab.ca/just/.
Scope: what we did in our audits
1. Systems
We examined Information Technology controls
We examined the Information Technology (IT) controls of four systems: the Civil and Sheriff Entry system (CASES), Maintenance Information
Management system (MIMS), Justice Online Information Network (JOIN) and Public Trustee Information system (PTIS).
2. Performance reporting
We audited the financial statements of the Ministry and the Office of the Public Trustee, Estates and Trusts for the year ended March 31, 2007. We completed specified auditing procedures on the Ministry’s performance measures.
Our audit findings and recommendations
1. Systems
1.1 Information Technology Security Recommendation No. 31
We recommend that the Ministry of Justice develop and document Information Technology security policies.
Background Ministry has
decentralized divisions
The Ministry of Justice provides services through its divisions, which include the Department of Justice, the Ministry’s Court Services division and the Office of the Public Trustee.
Volume 2—Audits and recommendations Justice and Attorney General
Criteria: the standards we used for our audit The Ministry should:
• develop, document and publish security policies that guide all divisions in delivering Information Technology (IT) services;
• enforce compliance with these policies;
• provide regular security awareness training for staff members.
Our audit findings No overall
Information Technology security policies
The Ministry has no overall IT security policies. It has developed and documented system-specific security policies for its major IT systems, such as Justice Online Information Network (JOIN) and Maintenance Information Management system (MIMS). But it has not done so for the Civil and Sheriff Entry system (CASES), administered by the Ministry’s Court Services division, or the Public Trustee Information system (PTIS), administered by the Office of the Public Trustee. The Ministry does not provide regular security awareness training for staff, nor has it defined roles or
responsibilities to monitor compliance against the security policies.
The Ministry has established an Information and Technology Management Governance Committee, which is working to develop a strategic plan.
Implications and risks if recommendation not implemented Reliability of
information systems may be at risk
Without comprehensive IT security policies at the Ministry-level, security policies among the divisions may be inconsistent and compliance may not be enforced. A weakness in one IT system may disrupt normal operations for other systems and decrease the overall reliability of the Ministry’s
information systems.
1.2 Disaster Recovery Plans Recommendation
We recommend that the Ministry of Justice document and test disaster recovery plans for all Information Technology systems.
Background Overall Business
Continuity Plan has identified critical systems
The Ministry of Justice has developed an overall Business Continuity Plan (BCP) for all divisions in the Ministry. The divisions update the BCP annually. The BCP has classified several Information Technology (IT) systems as critical and one of the critical IT systems has a documented disaster recovery plan. The Ministry’s critical IT systems are hosted at Service Alberta’s Edmonton central computing centre and at the Ministry’s in-house data centre.
Volume 2—Audits and recommendations Justice and Attorney General
Criteria: the standards we used for our audit
The following key procedures should be used to develop disaster recovery plans (DRP) for all critical IT systems:
• Determine IT system recovery requirements based on the importance of the business processes as identified in the BCP;
• Establish and implement backup and recovery methodologies and techniques based on IT system recovery requirements;
• Co-coordinate and establish appropriate IT system recovery capabilities with service providers based on recovery requirements;
• Develop a testing schedule to periodically validate IT system recovery capabilities and timeframes.
Our audit findings
The Ministry does not have:
• Functional documented disaster recovery plans to guide the recovery of the systems identified as critical, within the required timelines;
• Validated backup and recovery procedures to ensure that the data can be recovered from the backup media;
Disaster recovery plans required for critical systems
• Established recovery capabilities agreed on in the service level agreement with its service provider, Service Alberta;
• Validation of the recovery procedures based on periodic tests. These tests would ensure that the Ministry can recover its critical applications and associated infrastructure in the required timelines.
Implications and risks if recommendation not implemented Restoration of
critical
applications may be impaired
The lack of functional documented disaster recovery plans may delay or seriously impair the restoration of critical applications and business processes in the event of a service disruption.
1.3 Information Technology Access Controls Recommendation
We recommend that the Ministry of Justice improve access controls over its information systems by:
• reviewing user access rights regularly, and
• adopting strong password controls.
Volume 2—Audits and recommendations Justice and Attorney General
The Ministry’s computer systems require a valid username and password.
Best practices, such as the Government of Alberta Identity and Authentication Standard and National Institute of Standards and Technology Special
Publication 800-63, provide guidelines for strong passwords for critical and confidential systems such as the Civil and Sheriff Entry system (CASES).
Maintenance Enforcement Management system (MIMS), Justice Online Information Network (JOIN) and Public Trustee Information system (PTIS).
Criteria: the standards we used for our audit The Ministry should:
• document and publish a password policy that meets industry best practices.
• configure IT systems to comply with this policy.
• require IT system owners to periodically review and confirm that user access rights serve a business need and that the access level is
appropriate.
Our audit findings No review of user
access to critical systems
There was no documented process to regularly review user access for the IT systems we audited: MIMS, JOIN, CASES and PTIS. The Ministry has an informal process to verify, by email, the appropriateness of access granted to the MIMS application. However, the process is not documented, nor does it verify if a user’s access level is appropriate for the job.
Ministry password policy does not meet best practice
The current password policy does not meet industry best practice – users can reuse their old passwords during the same day, and the minimum password length is 7 characters. Industry best practice recommends a minimum password age policy so that passwords cannot be used again within a specified period, and a minimum password length of 8 characters.
Implications and risk if recommendation not implemented
Inadequate access and password controls increase the risk of inappropriate access to the Ministry’s IT systems. This could result in unauthorized changes to critical information.
1.4 Judicial Information Technology Security Recommendation
We recommend that the Ministry of Justice improve controls over the Civil and Sheriff Entry system by developing, documenting and
implementing Information Technology security policies consistent with the guidance in the “Blueprint for the Security of Judicial Information”.
Volume 2—Audits and recommendations Justice and Attorney General
The Ministry’s Court Services division uses the “Blueprint for the Security of Judicial Information” (Blueprint) prepared by the Computer Security
Subcommittee of the Judges Technology Advisory Committee, as a guide to manage information security. The Blueprint provides a model for developing effective Information Technology (IT) security policies that consider judicial needs.
Criteria: the standard we used for our audit Criteria we used The Ministry’s Court Services division should:
• document and enforce division-level security policies that guide all divisions in delivering IT services;
• document and implement division-level IT system access controls to ensure that only authorized users can access any court system, based on their job functions;
• complete a threat risk assessment of their critical IT assets to ensure that adequate controls mitigate any risks;
• establish computer-use monitoring on all servers and network devices to screen for unauthorized access attempts and unusual use patterns;
• follow a documented change-management process that includes segregation of duties;
• provide regular security awareness training for staff members.
Our audit findings
The Ministry’s Court Services division has the following IT security control weaknesses with respect to the Civil and Sheriff Entry system.
IT security policies
Although the Ministry’s Court Services division uses the Blueprint as a guide to implement IT security policies, it has not documented or enforced the policies. Policy 3 of the Blueprint states that “Courts must provide all users with ongoing awareness training and materials on IT Security.” But the Ministry’s Court Services division does not conduct security awareness training, and it has not assigned anyone to provide this training regularly.
Access controls Access control
processes are not documented
The Ministry’s Court Services division has not documented access control processes for the Civil and Sheriff Entry system (CASES) IT system. Staff follow an informal process to request and grant IT system access: system supervisors in each court have authorization to grant access to users at that location. But there is no process to confirm the requested access by
designated approvers before granting access to the CASES system. The central systems administrator for CASES completes informal user access reviews periodically. However, there is no process to complete regular
Volume 2—Audits and recommendations Justice and Attorney General
reviews to ensure that the user access is valid based on the job function. The CASES administrator in Calgary has delegated access authority to all supervisors, allowing them to request, approve and grant user access to staff in their area. But the administrator does not review the access granted, and there is no process to periodically review user access.
Threat risk assessment Threat and risk
assessment has not been performed
The Ministry’s Court Services division maintains an inventory of IT assets, but does not group them by business function or classify them according to the criticality and sensitivity of information they support. Further, there is no documented evidence that the Ministry’s Court Services division has done threat and risk assessments for these assets. According to policy 4 of the Blueprint “every court must plan and conduct a regular threat and risk assessment” to ensure effective safeguards are implemented to mitigate the risk. Although the Ministry has identified the CASES system as critical, the physical environmental controls, and the location of the server are not appropriate to house a critical server with no provision for system recovery.
Completing a threat risk assessment would identify these and other risks.
Log monitoring
Appropriate network devices are present to capture and log network traffic.
However, the Ministry’s Court Services division has not developed or documented policies and procedures to indicate the types of permissible computer monitoring which will not significantly threaten judicial independence, and does not keep the logs or monitor communications.
Change management Change
management processes are not documented
The Ministry’s Court Services division uses an informal process for change management, but staff don’t consistently follow it. The change management process does not require appropriate approvals before changes are made in the production IT systems. In addition, there is no segregation of duties between developers and implementers—the same consulting staff members are responsible for both functions.
Implications and risks if recommendation not implemented Reliability of
information systems may be at risk
Without division-level security policies, the Ministry’s Court Services division won’t develop or enforce consistent policies for all systems. It may give inappropriate access to CASES if it does not regularly approve and review IT system access. Without a consistent change management process for the IT environment, appropriate scheduling, ranking and impact
assessment of changes may not occur.
Volume 2—Audits and recommendations Municipal Affairs and Housing