Monitor performance
4. We recommend senior management of the Ministry of
Highways and Infrastructure receive a report on the results of the maintenance activities at the end of the maintenance season, as required.
14Senior management receives information on the performance measures related to the National Highways System (i.e., percent of the National Highway System in good condition, percent of kilometres resurfaced on the National Highways System to meet the targeted life cycle cost).
Selected references
Government of Saskatchewan. (2008).08-09 Annual Report. Ministry of Highways and Infrastructure.
http://www.highways.gov.sk.ca/2008-09annualreport/ Regina:
Author. http://www.highways.gov.sk.ca/2008-09annualreport/ (09 Apr 2010).
Government of Saskatchewan. (2009).09-10 Plan for 2009-10: Ministry of Highways and Infrastructure.Regina: Author.
http://www.highways.gov.sk.ca/reports. (09 Apr 2010).
Government of Saskatchewan. (2005-2009).Public Accounts – Volume 2:
Details of Revenue and Expenditure.Regina: Author.
National Guide to Sustainable Municipal Infrastructure. (November 2003), Municipal Infrastructure Asset Management: A best practice.
Ottawa: Federation of Canadian Municipalities, Government of Canada, and the National Research Council.
New South Wales Treasury. (June 2006).Total Asset Management Guide: Asset Maintenance Strategic Planning. Wales: Author.
Norfolk County Council. (May 2004).Delivering Best Value in Highway Maintenance, Code of Practice for Maintenance Management.
Norfolk County, England: Author.
http://www.committees.norfolk.gov.uk/papers/cabinet/plantran270 504/plantran270504item11pdf.pdf. (09 Apr 2010).
Office of the Provincial Auditor. (May 2006).2006 Report – Volume 1, Chapter 12 – Saskatchewan Water Corporation. Regina: Author.
Transportation Association of Canada. (October 2008).Best Practices for the Technical Delivery of Long-Term Planning Studies in Canada-Final Report.Ottawa: Author.
http://www.tac-atc.ca/english/resourcecentre/reports.cfm. (09 Apr 2010).
Main points ... 98 Introduction ... 99 Security awareness... 99 Audit objective, criteria, and conclusion ... 100 Key findings and recommendations ... 101 Demonstrate management commitment to security awareness... 101 Security policies incorporate security awareness program ... 102 Inform users of their information security responsibilities through the
formal security awareness program ... 103 Periodically review the effectiveness of the security awareness program... 104 Selected references... 104
Main points
This chapter reports the results of our audit of security awareness processes at the Ministry of Justice and Attorney General (Justice).
We concluded that Justice had adequate security awareness processes, except that Justice needs to:
assess its security awareness needs
update its formal plan for its security awareness program and carry out the plan
monitor the effectiveness of its security awareness program
Introduction
The Ministry of Justice and Attorney General (Justice) is responsible for providing legal services and justice policy advice to government in order to protect the legal rights of citizens and to promote social and economic order for Saskatchewan. Justice is also responsible for supporting courts, prosecutions, victims, civil law services, and for regulating the
marketplace. Justice also provides services to resolve social and family conflict.1
Our 2009 Report – Volume 3 reports the results of our audit of Justice for the year ended March 31, 2009. This chapter reports the results of our audit of Justice’s security awareness processes.
Justice uses information systems that are critical to the operations of the Ministry. A majority of these systems contain sensitive or confidential information. This includes information relating to traffic fines, court dates, and legal/criminal case information. Some of the information systems at Justice process credit card transactions. Justice also uses information systems to record its corporate financial information.
Justice must keep its information systems secure. If security is not
adequate, there is a risk that information could be altered by unauthorized persons, that confidential information may be inappropriately disclosed, or that information may not be available when needed. If the information is not secure, there is a risk of harm to people. Justice has over 900
employees in various locations throughout the province. Justice needs to ensure that all of its employees keep its information secure. We audited whether Justice has adequate processes for security awareness.
Security awareness
Security awareness means being well informed about security issues, understanding security responsibilities, and acting accordingly.2The key to security awareness is being security conscious and as a result, changing behaviour to appropriately protect information.3
1Ministry of Justice and Attorney General, 2008-09 Annual Report, p.7.
2Wulgaert, p.9.
3Ibid.
Security awareness is an important part of information security. Agencies must keep their information secure, including their information technology (IT) systems and data. This means ensuring the confidentiality, integrity, and availability of information. To do this, agencies must set out and follow adequate security policies and procedures. If users are not aware of the policies and procedures that they need to follow, it is more difficult for an agency to protect its information.4Even sophisticated security measures can be rendered less effective if there is inadequate security awareness.
A security awareness program can be a cost-effective method of
improving an agency’s information security. Improved security awareness can reduce future costs such as recovery of lost data and notification and litigation costs when information has been inappropriately disclosed.
Security awareness activities need to be a continuous process.5Without on-going activities, users may forget or be less able to take adequate measures to protect an agency’s information. Repeated reminders of security awareness issues can improve a user’s capacity to remember security principles. Agencies that have continuous security awareness activities are more likely to have employees that are “security conscious”
as they carry out their responsibilities. This decreases the risk that information will be lost, stolen, or inappropriately disclosed.
We describe “Good processes for security awareness” more fully at the end of the Agriculture chapter, Chapter 3.
Audit objective, criteria, and conclusion
The objective of this audit was to assess whether the Ministry of Justice had adequate processes for security awareness for the twelve-month period ended February 28, 2010.
To conduct this audit, we followedThe Standards for Assurance Engagementspublished by The Canadian Institute of Chartered
Accountants. To evaluate Justice’s processes, we used criteria based on the work of other auditors and current literature listed in the selected references. Justice’s management agreed with the criteria (see Exhibit 1).
4Herold, p.xxix.
5Wulgaert, p.4.
Exhibit 1 – Audit criteria
To have adequate processes for security awareness, an agency should:
1. demonstrate management commitment to security awareness 2. implement adequate security policies that incorporate a security
awareness program
3. inform users of their responsibilities through a formal security awareness program
4. periodically review the effectiveness of its security awareness program
We concluded that, for the twelve-month period ended February 28, 2010, the Ministry of Justice and Attorney General’s processes for security awareness were adequate except the Ministry of Justice and Attorney General needs to:
assess its security awareness needs
update its formal plan for its security awareness program and carry out the plan
monitor the effectiveness of its security awareness program
Key findings and recommendations
In this section, we describe our expectations (in italics) and key findings for each criterion.
Demonstrate management commitment to security awareness
To demonstrate management commitment to security awareness, we expect that agency management will:
communicate responsibility for security awareness to all employees
set an example by participating in security awareness activities
approve human resources and a budget sufficient to carry out security awareness activities
Justice has set out responsibility for security in a security principles document. The document notes that all employees are responsible for the protection of Justice’s information.
Justice has created a position that is responsible for security awareness at Justice. This position provides advice to Justice employees on security issues.
Justice held security awareness sessions for its employees, including senior management. However, it held those sessions more than three years prior to the time of our audit. Justice told us it plans to hold security awareness sessions for all of its employees in 2010-2011. Justice told us that it has a small amount of money available for security awareness related activities each year. We did not find evidence that executive management discussed security awareness issues on a regular basis.
Security policies incorporate security awareness program
We expect that agency security policies will include the requirement for a security awareness program. The policy should require that the security awareness program:
include all employees and relevant contractors
be an on-going program to ensure that security issues are regularly discussed
be reviewed for effectiveness on a regular basis
Justice has a computer security principles document that requires that internal and external users of information at Justice be made aware of relevant security policies and their responsibilities.
Justice also has a terms of reference document for its security awareness training program. This document requires that Justice assess its security awareness needs. Although the terms of reference document dates from 2004, Justice has not completed an assessment.
1. We recommend that the Ministry of Justice and Attorney