Audit of Information Technology Dependence

Download the PDF version (138 KB)

Audit Report

Project # 09/10 01-03

March 2010

Table of Contents

1.0 Summary

1.1 Audit Objectives

The objective of this audit was to evaluate the appropriateness and effectiveness of existing controls over processes and procedures to reduce the risk of information technology (IT) dependence in the Canadian Space Agency's (the Agency) Information Management and Information Technology (IMIT) sector.

1.2 Audit Opinion

In our opinion, the processes and procedures designed to reduce the risk of IT dependence under IMIT's responsibility have moderate issues requiring management focus.

1.3 Statement of Assurance

In my professional judgment as Chief Audit Executive, the audit procedures followed and the evidence collected are sufficient and appropriate to support the opinion stated in this report. This opinion is based on a comparison of the conditions, as they existed at the time, with pre-established audit criteria approved by management. This opinion is only applicable to the subject examined.

1.4 Summary of Recommendations

We noted a number of good practices to reduce the risk of IT dependence in the IMIT sector. Management maintains an inventory of the Agency's applications and systems, including user-developed applications such as Microsoft Access databases. This practice will enable the Agency to determine whether environments can be combined to reduce support and maintenance activities.

We noted that the Agency placed a high priority on the IMIT strategic planning process and developed a four-year plan. A five-year equipment replacement plan was also developed to help plan future requirements.

As a result of our testing of the existing controls over processes and procedures designed to reduce the risk of IT dependence, we recommend that the Agency:

  • Consider reducing the number of existing technical environments and migrate certain environments to supported and shared platforms.
  • Review staffing requirements and develop a competencies matrix to support a cross-training plan to train backup staff.
  • Consider hiring a systems architect.
  • Finalize the IT recovery plan documentation.
  • Complete the business continuity plan by documenting the recovery steps under IMIT's responsibility.

Signature of Chief Audit Executive

Original signed by Dominique Breden

Audit team member

Pierre Lapointe, Associate Partner, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
David Liberatore, Senior Manager, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Stephanie Ranno, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Anne Turski, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Ndeye Astou Ndao, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.

2.0 Audit Report

2.1 Background

The Agency's mission is to lead the development and application of space knowledge for the benefit of Canadians and humanity. Its mandate is to promote the peaceful use and development of space, to advance the knowledge of space through science and to ensure that space science and technology provide social and economic benefits for Canadians.

The Agency has some 635 employees with about 90% of them employed at the John H. Chapman Centre, the Agency's headquarters located in St-Hubert, Quebec. There are 90 positions in the IMIT sector (79 employees and 11 vacancies). About 30 of the 79 employees are assigned to information management and the rest to IT management. They perform traditional IT duties including:

  • designing and implementing telecommunications systems, networks and storage systems,
  • installing and configuring work stations, applications and databases, and
  • providing associated technical support.

About 85% of the Agency's information systems run in a Windows environment and 15% in a UNIX environment. Their network now has from 900 to 1,000 users, most of them working at the Agency's headquarters in St-Hubert, Quebec.

The Agency's organizational structure reflects the global context. Space activities are increasingly service-oriented and mainly focus on the needs of end users and the integration of technologies with terrestrial applications. The scope of the IMIT Directorate's responsibility includes managing applications, data and technologies for corporate systems. Approximately 60 applications, either commercial or internally developed, are managed by IMIT.

IMIT's role is to understand requirements and circumstances and develop and implement policies, procedures, programs and activities in response to these requirements.

There are risks involved in achieving IMIT's objectives, such as the quantity and scope of the data it manages. Given the volume of data managed by IMIT, adequate backup and data retention are a significant risk.

2.2 Audit Objectives, Scope and Approach

The purpose of the audit was to evaluate the appropriateness and effectiveness of existing controls over processes and procedures to reduce the risk of IT dependence in the Agency's IMIT sector.

The audit examined the IT processes and activities with subject to IT dependence as well as the activities to reduce IT dependence. More specifically, we examined the following subjects:

  • IT dependence
    • IT asset management
    • Business continuity management
    • Backup and media management
    • Succession planning (including staff development and training).

The audit only covered corporate systems, including applications, database management systems, operating systems and underlying network equipment, which are under IMIT's responsibility, thus excluding specific technical environments such as those of Satellite Operations and the International Space Centre's Mission Control Centre. Moreover, certain corporate systems including SAP are not managed by IMIT and were not covered by this audit. The audit was mainly performed at the Agency's headquarters in St-Hubert, Quebec.

Audit procedures were carried out from January to March 2010. The audit tests we performed consisted of interviewing stakeholders, examining existing documentation, examining existing equipment configurations and comparing procedures and controls implemented by the Agency against industry practices and their application.

2.3 Findings, Recommendations and Management Responses

The findings, recommendations and management responses are presented in detail in the following Appendix.

Appendix: Detailed Table of Findings, Recommendations and Management Responses

Ref. Findings Impacts Recommandations Management Response / Action Plan Timetable
1

There is little internal support capabilities for certain technologies (PowerBuilder and Microsoft Access). The recent inventory of user-developed applications indicated the existence of some 1,800 Microsoft Access databases, not all of which are supported by IMIT.

Moreover, for certain technologies, there is not enough staff to develop and use the potential capacity of the technology (for example Livelink and Citrix).

Overall, we noted a shortage of specific skills staff in certain IMIT groups, specifically storage, network infrastructure and database management systems.

This situation increases the risk of higher technology support costs.

This situation may also affect availability if systems or technologies are no longer supported.

  • Consider reducing the number of existing technical environments and migrating certain environments to supported and shared platforms.
  • Examine staffing requirements and perform a competencies assessment. Develop a cross-training plan to train backup resources.

Responsible : Chief Information Officer (CIO)

Applications such as EDRAdmin, Socrate and ORIS were developed in PowerBuilder.

Oris is currently being replaced with a new system in the Unitas project, which combines .Net, Java and the use of SAP services.

EDRAdmin is still being used because of the need to maintain the International Space Centre's robotic systems documentation. A new configuration management system is being analyzed.

Socrate is a modular application that will be rewritten in .Net in phases, the first of which will understand the basic system functions.

Access databases will still be used, but will be better supervised. Existing databases will be reviewed and a guideline will be issued for the development of new applications by IMIT and users.

The audit report confirms that there is not enough staff to support systems that are now critical to the CSA’s operations, specifically Livelink and Citrix. Two additional analysts were requested in the 2010-2011 work plans. Requests were also made for a storage analyst, network analyst and database management systems support.

First deliverable of the ORIS reprogramming – March 2011.
Identification of a configuration management system – March 2011.
Release of Socrate-based modules – June 2011.
Issuance of a guideline for development under Access – December 2010.
2010-2011 work plans and/or reference levels will be upgraded to 2011-2012 during summer 2010.
2 Two commercial application service providers do not or no longer provide support (CMStat, IRims).

This situation increases the risk of higher support costs for these technologies.

This situation may also affect availability if the systems or technologies are no longer supported.

Lastly, there is a risk that changes will be inconsistent with management's intentions.

The Agency should review the usefulness of these applications. If they are considered important, the Agency should consider ways of supporting these environments or migrating them to supported environments.

Responsible : CIO

CMStat is an engineering configuration management system used mainly for the Radarsat-2 mission. The supplier provides adequate software support. However, the CSA is analyzing various solutions that would provide a single configuration management system for all Agency projects.

IRims is still supported by OpenText, but there are no updates. The system has been replaced by a Livelink module. IRims is still used to catalogue hard copies. No new data is added, but the system must be maintained for the lifetime of the documents that have been recorded.

Identification of a configuration management system for the CSA – March 2011
3

Periodic Microsoft licence reviews are not performed systematically.

Moreover, there is no procedure in place to ensure that the Oracle licence inventory is kept up-to-date.

This situation increases the risk that there will not be enough active licences for the actual number of users.

This situation increases the risk of understating or overstating the resulting costs.

Do a periodic follow-up of Microsoft licences and the Oracle licence inventory.

Responsible : CIO

As part of the work station migration to Vista and Office 2007, the Microsoft software licence records are updated.

Periodic review procedures will be implemented for Oracle licences (client version).

Migration will be completed in July 2010.

September 2010.
4 Although an IT recovery plan is currently being drafted, the Agency does not have a formal IT recovery plan at present. This situation increases the risk of delayed operations recovery in the event of a disaster.
  • First, the Agency should finalize its IT recovery plan documentation.
  • Secondly, the plan should be approved by the Agency's appropriate reporting level.

Responsible : CIO

A first draft of the IT recovery plan was completed and tested as of March 31, 2010.

Infrastructure changes are required for an effective recovery plan. The plan will be updated in September 2010 and then validated by simulation.

The plan will be submitted for approval by the IMIT management committee before the end of the fiscal year.

March 2011.
5 The steps in the Agency's business continuity plan for IMIT operations recovery are not documented.
Moreover, the Agency's business continuity plan has not been tested because it was never completed. However, the IT recovery plan was tested in April.
This situation increases the risk of delayed operations recovery in the event of a disaster.
  • Complete the Agency's business continuity plan by documenting the recovery steps under IMIT's responsibility.
  • Establish a test schedule for the business continuity plan.

Responsible : CIO and Director, Security and Facilities (DSF)

IMIT will align its business recovery plan with that of the CSA's business sectors.

The IT recovery plan will be updated accordingly.

CSA's Continuity Plan, under the authority of the Security and Facilities Sector of CSA's Corporate Services will be completed by March 31, 2011.
6 Generic accounts are used to access the backup systems. The use of generic accounts increases the risk of loss of production environment data integrity.
  • Consider removing generic account access privileges.
  • Consider changing the passwords of the generic user IDs.
  • Consider setting up user-specific accounts.

Responsible : CIO

The use of generic service accounts cannot be avoided in some circumstances, in which case, other methods are used to restrict access.

This particular case is being reviewed.

June 2010.
7 Vranger Pro backup tapes are not made and sent to an outside vault. This situation increases the risk of data reconstruction and additional delays in operations recovery in the event of a disaster. Make backup copies and send them to an outside vault.

Responsible : CIO

Since March, backup tapes of all virtual machines are made. The tapes are sent to LDF weekly.

No further action.
8 Backup errors are not logged and the resolution steps are not recorded. This situation increases the risk of data reconstruction and additional delays in operations recovery if data has to be restored. Log backup errors and steps taken to resolve the situation.

Responsible : CIO

A procedure will be developed to improve follow-up of backup results.

September 2010.
9 There is no formal backup testing. This increases the risk that backups will be unusable for recovery purposes, which could cause additional delays in operations recovery.
  • The Agency should first establish a backup recovery testing schedule.
  • Secondly, the Agency should perform and document the backup recovery tests.

Responsible : CIO

A data backup and recovery test plan will be developed.

The documentation and initial tests will follow the installation of backup equipment at LDF and the backup strategy.

December 2010.
10 Some employees have not had training in their area of expertise. We were informed that the training was cancelled in many cases because of restrictions on travel expenses.

This situation increases the risk that the employees will not have the skills to efficiently and effectively complete their activities as it could have been.

It also contributes to employee dissatisfaction.

  • Evaluate other kinds of training, such as distance training, internal courses, webcasts, etc.
  • Consider training appropriate staff in their respective areas of expertise and/or technologies.

Responsible : CIO

2009-2010 travel expense restrictions result from a Treasury Council policy. Most IMIT employees have received the required training, but the budget shortfall obliged management to postpone training requiring foreign travel.

IMIT's 2010-2011 work plans provide for training sessions and related travel budgets.

Fiscal 2010-2011.
11 In addition to their network administration duties, the network team is responsible for supporting approximately 15 applications. Although these applications are covered under a maintenance contract, the team has only one member. This situation increases the risk of delayed operations recovery in the event of extended absence. Consider training at least one replacement for these duties.

Responsible : CIO

A request was made to hire an extra employee for commercial software (COTS) releases and support handled by the network team.

The software support strategy will be reviewed.

March 2011.
12

In some cases, IT waits for funding before replacing certain obsolete technology (for instance, storage units).

Moreover, the usage levels of the existing environments are not reviewed to confirm whether they are still being used.

This situation increases the risk that the level of user services will be below expectations.
  • Use, costs and risks related to deferring updates should be evaluated and timely decisions made accordingly.
  • Eliminate environments that are no longer being used.

Responsible : CIO

A replacement plan for obsolete equipment and utilities that are no longer manufacturer-supported is in place. Obsolescence is not a problem. Major purchases are often financed from budget surpluses. A proposal was submitted to the CFO to have these funds made available to IMIT earlier in the year to avoid constraints related to last-minute purchases.

We do not believe that the technologies used at the CSA become obsolete enough to present a risk of unauthorized access. Satellite Operations is the sector where, for operational reasons, certain obsolete systems are still used. However, the environment is controlled.

As far as we know, there are no environments that are no longer used aside from certain applications. An applications portfolio review was done in 2009-2010 and an annual follow-up will be done.

Applications portfolio review in 2010-2011 and development of a plan to eliminate unused applications and duplications.
13 The IMIT human resources plan identifying critical resources and replacements has not been completed. This situation increases the risk that the employees' work will be inadequate or not as effective as it could have been in the event of unexpected departures or extended leaves. Complete and implement the IMIT human resources plan.

Responsible : CIO

A critical resource replacement plan will be developed.

March 2011.
14 We noted that there were 11 vacant positions in the IMIT organization chart, that is, five IM vacancies and six IT vacancies. This situation increases the risk that the level of user services will be below expectations. Fill the vacancies and begin the transition of responsibilities.

Responsible : CIO

Hiring processes for IM and IT vacancies are underway.

The positions will be filled by the end of 2011.

Note: Certain positions will probably be filled by internal staff, resulting in a domino effect and new hiring processes.

15 We noted deficiencies in IT architecture planning at the Agency. These deficiencies were noted in technologies with little or no support (see 1.12), replacement of technology considered obsolete (see 1.2) and vacancies on the organization chart (see 1.14).

This situation increases the risk that the level of user services will be below expectations.

This situation increases the risk of unauthorized access to the Agency's systems.

Consider hiring a systems architect.

Responsable : CIO

The IMIT Directorate is considering creating the position of enterprise architect responsible for developing business, information, application and technical architecture.

Additional funds will have to be requested for the new position, probably level CS-04.

March 2012.