Internal Audit of User Access Management

Source URL

http://www.cra-arc.gc.ca/gncy/ntrnl/2013/sr-ccss-mngmnt-eng.html

Disclaimer

We do not guarantee the accuracy of this copy of the CRA website.

Scraped Page Content

Internal Audit of User Access Management

Final Report

Audit, Evaluation, and Risk Branch
May 2013

Table of Contents

Executive Summary

Background

User access management (UAM) is a fundamental element of information technology (IT) security. Controlling access to the Canada Revenue Agency (CRA) IT systems is critical in order to ensure that information assets are protected. The protection and authorized use of CRA information assets can only be achieved and maintained through effective UAM practices across all CRA IT platforms.

Effective UAM requires enterprise-wide governance, and sustained effort and diligence by IT platform owners, administrators, managers and users. User access controls must exist, and established processes must be followed by all individuals to ensure the confidentiality, integrity and availability of taxpayer/registrant information assets.

As a front-line monitoring control in the Agency’s Integrity Framework, the management and control of access to CRA IT platforms is an ongoing responsibility of Agency managers at all levels. Managers are responsible for ensuring that individuals have the necessary information to perform their duties.

Internal audits of Privileged User Risk Management (PURM) and UAM were approved as part of the Five Year Audit Plan for IT Security and the Corporate Audit and Evaluation Branch Business Plan for 2010-2011 to 2012-2013. As PURM is a component of UAM, it has been covered under this internal audit.

Objective

The objective of the audit was to provide assurance that controls are in place and working as intended to ensure that user access administration is managed and monitored according to CRA policies, standards and procedures, including controls over privileged access.

Conclusion

Internal controls, including policies and standards, are in place and working to support the achievement of established goals and objectives for UAM. UAM continues to evolve with the creation of tools and new initiatives. However, certain opportunities exist for the Agency to further strengthen its processes to ensure that UAM is managed effectively and efficiently, and in a consistent and standard manner, including the following:

  • Procedures should be comprehensive and documented to ensure consistency;
  • Supporting tools should be consistent and current across all regions and branches;
  • Roles and responsibilities should be clearly defined and communicated in a timely manner for certain activities (provisioning and monitoring); and
  • The compliance of UAM requirements as stated in policy and standards should be improved.

By addressing the findings above, the Agency can further strengthen the processes in order to ensure that UAM within CRA is managed effectively and efficiently, and in a consistent and standard manner.

Action Plan

Finance and Administration (F&A) Branch, Security and Internal Affairs Directorate (SIAD) agrees with the findings and recommendations, which represent a snapshot in time during which the audit was undertaken. Progress on improving the controls has been made since that time and plans are in place to address all of the recommendations.

The CRA recognizes that ensuring taxpayer confidentiality is a fundamental and critical element in maintaining the public’s trust and confidence in the tax system. Therefore, significant emphasis has been placed on fostering a culture of integrity among our workforce and strengthening our security control measures to protect taxpayer and other confidential Agency information.

As a result of this fundamental focus, the CRA has developed and implemented robust controls that have continually improved the Agency’s security posture on its UAM processes. A network of interconnected tools has been implemented over the past several years that have resulted in significant improvements to the risks to taxpayer confidentiality that can be posed by employee access. This network of controls draws on governing policies, employee education, training and awareness, automated process controls that restrict and limit an employee’s ability to access data, as well as electronic and manual tools and processes to monitor and track activities.

Additionally, a suite of tools was developed and implemented to enable all managers in performing their duties and responsibilities related to access management. Continual enhancements are made to streamline processes while allowing monitoring of activities to ensure compliance. Tools like the Role Based Access Guide (RBAG), System Access Definition Catalogue (SADC) and Employee System Access Review (ESAR) share a synergetic rapport, their combined purpose to achieve greater efficiency of the Agency’s UAM practices while also supporting the core security principles of "least privilege", "segregation of duties" and "need to know". By upholding and enforcing these fundamental principles, the CRA ensures that its employees are limited to access only the information required to perform their duties.

Manual tools and processes also contribute to the Agency’s successful network of UAM practices. The Privileged User Risk Management (PURM) process governs requests to grant higher risk access privileges. These requests are carefully evaluated and granted only if proven necessary.

The CRA has continually and systematically strengthened the network of internal controls that are in place to monitor and safeguard the data entrusted to us by Canadians. For example, in June 2012 the CRA introduced changes in the manner by which the semi-annual review of employee system access is conducted, thereby increasing senior management support and accountability for the completion of this control review. Building on this change, each successive semi-annual review of employee access highlights a specific category of accesses to receive increased attention by management. The review and update of the employee security awareness products in use at the CRA is another example of the continuous cycle of improvement of security controls.

The security function within the Agency is a shared responsibility throughout the organization, with well-defined roles integrated across the Agency’s management structure. The overall responsibility for functional direction, guidance and leadership of the security discipline resides with SIAD.

Although outside the scope of this audit, the Agency is implementing additional measures to enhance its integrity posture, including strengthening its discipline policy, and improving its ability to monitor employee’s activities once access has been granted.

The CRA recognizes the risks associated with UAM, which is why there is a continual evaluation, review and update of all the tools and processes associated with this function. This ensures that we are employing the most effective controls to address the evolving risks. While all of the findings and recommendations have been addressed with specific action plans detailed within the report, the majority of them will be addressed through the following three key initatives:

  • The Identity and Access Management (IAM) Project
  • The SIAD Corporate Policy Instrument (CPI) Modernization Project, and
  • The IT Helpdesk Modernization Project (also known as Mainframe Account Administration Project)

As demonstrated by the significant investment of resources dedicated to these three projects, the CRA is committed to their successful implementation, the combined outcome of which will greatly strengthen the Agency’s security posture, significantly improve the effectiveness of its practices and provide strong governance on UAM.

Introduction

The Canada Revenue Agency (CRA) relies extensively on the use of Information Technology (IT) to administer tax and benefit programs that touch the lives of all Canadians. It also has the obligation to ensure proper protection and authorized use of CRA and taxpayer/registrant information assets by properly managing access to those resources.

User access management (UAM) is a fundamental element of IT security. Controlling access to CRA IT systems is critical in order to ensure that information assets are protected. Effective UAM requires enterprise-wide governance, and sustained effort and diligence by IT platform owners, administrators, managers and users. User access controls must be defined, implemented and effective, and established processes must be followed by all individuals to ensure the confidentiality, integrity and availability of taxpayer/registrant information.

UAM is a shared responsibility within the CRA:

  • The Director General, Finance and Administration (F&A) Branch, Security and Internal Affairs Directorate (SIAD), is the Agency Security Officer and has overall responsibility for the management of the Security Program. SIAD is the functional owner of the Information Security Program and is responsible for information security policies, including maintaining and ensuring compliance with CRA’s Financial Administration Manual (FAM) Chapter 17 policy Footnote 1 . SIAD is also the functional authority responsible for delivery of the Privileged User Risk Management (PURM) program.
  • The Information Technology Branch (ITB), IT Security and Continuity Division is responsible for developing and publishing standards on IT access controls, including the User Identification and Authentication Security Standard (UIASS) and the Generic Account Administration (GAA) Standard. ITB is also responsible for selecting and approving administration control software and monitoring compliance with access control systems.
  • Access to CRA IT platforms is administered by privileged users including CRA IT platform owners, IT support groups, and security administrators.
  • Supervisors and managers are responsible for identifying and authorizing the requirement for access and for ensuring that the assigned functions are in line with the user’s work-related tasks Footnote 2 .

The CRA user community is divided into two groups:

  • The non-privileged user who requires access to CRA IT platforms to perform their daily work activities. This user can be a CRA employee, other government department (OGD) employee, a CRA partner employee, a consultant or a contractor. Only individuals with a valid enhanced reliability status should have access to CRA IT platforms.
  • The privileged user who is granted administrative powers, which can be system-wide or restricted to site, region, system, or work requirements, in order to perform their job. Access to CRA IT platforms is administered by privileged users. PURM is the standardized process for requesting, authorizing, granting, reviewing and removing privileged access. PURM was developed to introduce best practices associated with managing privileged users.

Access to CRA IT platforms may also occur through the use of a generic account. A generic account is a special purpose account that is not assigned to a specific individual. It requires special authorization, as no single user is accountable for its use. Generic accounts are used by the CRA, typically for training and testing purposes. However, generic accounts may also be created for privileged access to CRA IT platforms when warranted by specific system configuration needs.

The CRA IT environment consists of seven mainframes, more than 1700 servers, and 493 national line of business applications Footnote 3 . For the purposes of this audit, the major CRA IT platforms residing on the production Footnote 4 environment include the:

  • Mainframe;
  • Distributed Computing Environment (DCE);
  • e-Business Computing Infrastructure (eBCI); and
  • SAP (Corporate Administrative System (CAS) and Revenue Ledger (RL)).

The proper protection and authorized use of CRA and taxpayer/registrant information assets can only be achieved and maintained through effective UAM practices across all CRA IT platforms. See Appendix A for a description of the major CRA IT platforms.

The CRA’s FAM Chapter 17 policy and the UIASS provide the following UAM principles and practices that enable users to perform their duties and to mitigate risks with respect to potential error or internal fraud activities:

Accountability

Access to CRA IT platforms by users must be conducted using a valid and verifiable CRA user identity (UserID). Valid CRA UserIDs are essential in order to provide access control, verifiable audit logs and to assign user privileges. Verifiable user accounts can be traced to a Personnel Record Identifier (PRI), Non-Government Employee Identifier (NGE ID) or equivalent for user accounts of external CRA partners.

Need to Know

The need for someone to access and know information in order to perform his or her duties.

Least Privilege

An individual is given only the access needed to accomplish the task and nothing more.

Segregation of Duties

A process that is divided between different individuals in order to reduce the scope for error and fraud. For example, an individual who authorizes the cheque is not the same individual who writes the cheque.

Focus of the Audit

The objective of the audit was to provide assurance that controls are in place and working as intended to ensure that user access administration is managed and monitored according to CRA policies, standards and procedures, including controls over privileged access.

For the purposes of this audit, only major CRA IT platforms residing on the production environment were reviewed. These platforms (Mainframe; DCE; eBCI; CAS and RL) are described in Appendix A.

This audit was conducted at Headquarters and all regions. Audit tests focused on CRA production environments, where CRA and taxpayer/registrant information assets reside.

The examination phase of the audit was conducted between January and September 2012.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and Information Systems Audit and Control Association IT audit and control standards.

Findings, recommendations and action plans

1.0 Program Management

Proper UAM is reliant on goals and objectives, policy and standards, procedures and guidelines, and supporting tools. A formal process for monitoring and reviewing results for the purpose of identifying trends, problems and opportunities for improvement should be in place, and supported by appropriate performance indicators.

1.1 Goals and Objectives

UAM is a mature program and the goals and objectives are established, published, and communicated via the Agency Intranet (InfoZone); this includes the FAM, PURM and ITB’s Best Practices website.

1.2 Policies and Standards

The national policies and standards exist, are consistent, current, published and communicated to all stakeholders via the Agency Intranet (InfoZone).

CRA policies and standards related to user access management are, for the most part, consistent with Treasury Board Secretariat (TBS) requirements except for the requirement Footnote 5 that “…departments must screen, to at least the secret level, all personnel with privileged access to critical systems.” This gap in CRA policy may result in critical systems being accessed by inadequately screened personnel.

1.3 Procedures and Guidelines

For consistent management of user access across the Agency, local procedures and guidelines that support the program should exist and be consistent for all platforms and regions.

During the site visits, it was determined that procedures and guidelines are not all formally documented and consistent for all platforms and regions, in particular for the Mainframe and eBCI platforms.

Without properly documented procedures, the risk of inappropriate or unauthorized access is increased. UAM may not be performed consistently across the Agency.

1.4 Supporting Tools

Supporting tools for UAM are not consistent or current across all regions and branches. A variety of other tools, in addition to those developed by F&A, are used, ranging from e-mails, web and manual forms and locally developed solutions for access requests and provisioning.

Tools developed by F&A to assist in the management of user access include:

  • The Role Based Access Guide (RBAG) that defines a set of standardized functional roles that associate a set of access profiles to specific work within an organization;
  • The System Access Definition Catalogue (SADC) that provides a database of definition of access rights grouping (profiles) and access rights (permissions) for National applications hosted on CRA environments; and
  • The Employee System Access Review (ESAR) tool to assist managers and supervisors in performing the employee semi-annual review. This tool provides user access information for all platforms with the exception of eBCI. This tool uses the employee’s organizational information to assign the person to the responsible manager.

The SADC provides managers with a plain language authoritative catalogue to support the assignment of minimum system profiles and/or access permissions via the RBAG by clarifying the specific content of profiles and permissions. However, the RBAG and SADC were determined not to be current. Consequently, some areas had to rely on locally developed references such as spreadsheets, electronic and hard copy documentation. Incomplete and/or outdated access information increases the risk of inappropriate or unauthorized access and may jeopardize adherence to the segregation of duties principle.

Users such as consultants, contractors, external users (OGD and CRA partner employees) and generic accounts are not included in the ESAR tool since they are not linked to an organizational unit and to a manager. This linkage is critical as it forms the basis of the access review.

1.5 Roles and Responsibilities

Sound UAM practices require that roles and responsibilities be clearly defined, communicated and performed consistently.

Roles and responsibilities are not clearly defined or communicated with respect to provisioning (i.e. granting and removing accesses). Roles and responsibilities in procedures were not defined or communicated for all platforms and regions, particularly for the Mainframe and eBCI platforms. Some regions use a centralized helpdesk via email; some use a web-based form and some provision through local client access administrators (VCAs) who took approvals from managers over the telephone.

Monitoring roles and responsibilities relating to the manager’s employee semi-annual review activities for all platform accesses and the use of ESAR tool are not clearly understood. There is no consistent guidance as to which tool should be used to perform the semi-annual review.

This poses a risk of overprovisioning and inappropriate access to information assets and jeopardizing the “Need to Know”, “Least Privilege” and “Segregation of Duties” principles.

1.6 Performance Indicators

Performance indicators should be used to provide the necessary information to enhance the decision-making process and to take corrective action to address identified gaps.

At the time of the audit, the semi-annual performance report (Employee Access Review Statistics) was available, but deficiencies had been noted in the follow-up procedures that support decision-making. There was no mechanism in place to ensure that all UserIDs had been reviewed or that gaps in the review and reporting process were being addressed.

The lack of follow-up procedures may result in missed opportunities to improve user access management, enhance the decision-making process, and to reduce the risk of inappropriate or unauthorized access. Corrective action may not be taken on a timely basis to address identified gaps, trends and patterns.

Recommendations

SIAD should ensure that UAM procedures, including roles and responsibilities, are developed, documented and communicated for all platforms to ensure consistency across regions and branches.

SIAD should mandate the use of consistent and current supporting tools that are compliant with CRA policy instruments for UAM. In addition, SIAD should ensure the integrity of data captured in RBAG and SADC.

SIAD should consult with TBS to clarify the requirement for secret security clearance in MITS 16.3 by defining the terms "privileged access" and "critical systems" as it relates to CRA. SIAD should then ensure compliance with the TBS requirement or document any variance to justify why the requirement is not met.

SIAD should establish follow up mechanisms to ensure that deficiencies in the performance report are identified, addressed, and monitored and that corrective action is taken when required.

Action Plan

To address the recommendation that SIAD should ensure that UAM procedures, including roles and responsibilities, are developed, documented and communicated for all platforms to ensure consistency across regions and branches:

SIAD has initiated a comprehensive project to redesign and update the structure and content of all corporate policy instruments (CPIs) for the Security and Emergency Management programs. Due to the complexity of this undertaking (with over 91 current policy documents), SIAD has developed a project plan to guide the process and has placed a priority on the CPIs governing Information Security, including user access management.

As of May 2013, the Information Security CPIs have been drafted and stakeholder reviews completed by all branches and regions. The CPIs are in the final stages of approval and will be distributed and communicated to all employees by the end of Q1 of fiscal year 2013-2014.

As a result of this project, UAM procedures, roles and responsibilities will be clear, formally documented and consistent across all regions and platforms.

To address the recommendation that SIAD should mandate the use of consistent and current supporting tools that are compliant with CRA policy instruments for UAM. In addition, SIAD should ensure the integrity of data captured in RBAG and SADC:

Beginning with the December 2012 semi-annual review process, a call letter was distributed from the CFO and Assistant Commissioner of F&A Branch to the Agency Management Committee specifying that the use of the ESAR tool is mandatory for reviewing employee access permissions, that the review must be completed by the employee’s supervising manager and that this responsibility cannot be delegated or centralized.

To address concerns over the integrity of data within the RBAG and SADC repositories, SIAD initiated a working group in December 2012 with representation from the key stakeholder branches to develop a strategy document to identify and address any deficiencies in the current RBAG and SADC tools. Although much work has already been done by individual branches (as application owners) to update the records under their functional authority, this working group will document and prescribe the best practices to be followed to ensure the data within these repositories is up-to date and populated in a consistent manner by all application owners. The RBAG and SADC strategy document will be completed by September 30, 2013.

To address the recommendation that SIAD should consult with TBS to clarify the requirement for secret security clearance in MITS 16.3 by defining the terms "privileged access" and "critical systems" as it relates to CRA. SIAD should then ensure compliance with the TBS requirement or document any variance to justify why the requirement is not met:

SIAD has consulted with TBS and received clarification on the terms “privileged access” and “critical systems”. Using this clarification, the CRA will undertake an initiative in fiscal year 2013-14 to consult with ITB to identify all positions for which a security clearance of secret is required in order to be compliant with the TBS standard. By September 30th, 2013 SIAD will develop an implementation plan for coordinating the completion of the required clearances or document any variances to justify why the requirement is not met. The CPI on personnel security screening will also be modified to include details regarding this requirement.

To address the recommendation that SIAD should establish follow-up mechanisms to ensure that deficiencies in the performance report are identified, addressed, and monitored and that corrective action is taken when required:

With the launch of the semi-annual ESAR review in June 2012, an important change in the administration was introduced whereby regional and branch ACs were required to consolidate the ESAR results for their respective branch or region and submit a summary roll-up to the Assistant Commissioner, F&A. In addition to enhancing the executive accountability for the semi-annual exercise, this change has provided SIAD with increased ability to analyze the results, challenge any branch or regional results as required, address any deficiencies and report on trends.

Beginning with the December 2012 semi-annual ESAR review, SIAD has initiated a process to conduct quality reviews on random samples of completed reviews of employee access permissions in order to monitor the effectiveness of the ESAR process and identify opportunities for strengthening the ESAR training and communication for managers.

2.0 Compliance with CRA Policies, Standards and Procedures

In order to ensure compliance with the UAM policy and standards, controls for the provisioning (i.e. granting and removing) of accesses should be established and monitored to confirm they are working as intended.

2.1 Accountability

The baseline identification security requirements identified in the UIASS mandates that access to systems be granted with a valid and verifiable user identity (UserID). This UserID is to be generated using the Corporate Administrative System (CAS) which is the primary identity repository and can only be created when authorized by a manager using the User Access Authority form (TF469).

Each UserID is to respect a defined format (three alpha characters followed by three numeric characters) and be associated with a valid PRI or NGE ID. The UserID for the same individual is to be used on all platforms. The consistent use of a unique UserID is key to promoting accountability when using or accessing taxpayer/registrant information and CRA systems.

Results from data analysis of the UserIDs of various platforms, document reviews and comments from interviews identified instances where:

  • the UserID format stipulated in the UIASS was not respected (i.e. they are other than 3A3N);
  • the UserIDs are linked to an invalid PRI;
  • generic accounts are not readily identifiable in CRA platforms;
  • some external users are not registered in CAS; and
  • not all external (CRA partners) users are readily identifiable on CRA platforms.

User access management may not be performed consistently across the Agency resulting in ineffective management of controls over access to CRA platforms. Without the ability to properly link accounts to individuals, the accountability for the access to taxpayer/registrant information cannot be exercised.

2.2 Need to Know

Access to information should be based on the individual need to access information in order to perform his or her role and duties. This access is granted based upon management approval.

As part of the testing and documentation review, it was noted that there were instances of undocumented access requests (including PURM requests) which may have resulted from user access not being managed centrally and consistently, procedures that are not fully documented or differing tools used across regions and branches.

Undocumented access requests may result in unauthorized access to CRA platforms.

2.3 Least Privilege

Supervisors/managers must ensure that user access privileges are kept current and are to advise the access administrator when the access requirements change or are no longer required. An individual should access only the information needed to accomplish the task in order to respect the least privilege principle. This is especially true when an individual assumes new duties or has a change in employment status. (e.g. termination of employment, change in job functions, extended leave – where the leave period exceeds 60 consecutive days, transfer, on-loan). Under these circumstances, accesses must be granted and/or deleted to adhere to the least privilege principle. For UserIDs that meet the 60 consecutive days of inactivity, they must be suspended on a timely basis. Both elements mitigate the risk of inappropriate access to CRA platforms.

Data analysis of the UserIDs of various platforms, interviews and document reviews indicate that there are instances where:

  • UserIDs have not been suspended after 60 days of inactivity (some with more than 365 days of inactivity);
  • User access requests are not always communicated in a timely manner to access administrators; and
  • User access requests are not always actioned in a timely manner by access administrators.

Without timely removal of access, there is a risk of overprovisioning and inappropriate access contrary to the principles of “Segregation of Duties”, “Need to Know” and “Least Privilege”.

2.4 Segregation of Duties

Segregation of duties is a control mechanism whereby a process is broken into its constituent components and the responsibility for executing each component is assigned to different individuals. This type of control helps to prevent or detect errors and irregularities.

Segregation of duties controls are not fully implemented and working as intended. Results from audit testing identified instances where individuals with the ability to administer information were also end users and consequently non-compliant with the segregation of duties principle as both elements are incompatible functions.

The lack of segregation of duties controls increases the risk of overprovisioning, inappropriate access to information and jeopardizing the “Need to Know” and “Least Privilege” principles.

Recommendations

SIAD should ensure that user access stakeholders comply with the FAM Chapter 17 and the UIASS. SIAD should ensure that platform owners suspend user accounts that are inactive for a period of 60 days or more and that all user access requests are documented and approved.

SIAD should ensure that user access is managed consistently through common guidelines and procedures across platforms, regions and branches.

SIAD should ensure that segregation of duties controls are implemented, tested and monitored to ensure that they are working as intended.

Action Plan

To address the recommendation that SIAD should ensure that user access stakeholders comply with the FAM Chapter 17 and the UIASS. SIAD should ensure that platform owners suspend user accounts that are inactive for a period of 60 days or more and that all user access requests are documented and approved:

Managers are responsible to follow established processes of revoking access for users that no longer require access. Phase 2 (Identity Synchronization) of the IAM Project will see the implementation of a new Authoritative Identity Store in June 2013 that will provide SIAD with enhanced reporting capabilities therefore permitting more effective monitoring of the accounts in existence and ensuring that all accounts inactive for a period of 60 days or more are identified and appropriate action taken by the platform owners or their responsible manager. Additionally, phase 4 (Access Management) of the IAM Project will provide the Agency with increased assurance of compliance by enabling automation of de-provisioning of system access permissions of any user of the CRA infrastructure that has severed their relationship with the Agency. This phase of the IAM project is expected to be completed during fiscal year 2015-16.

To address the recommendation that SIAD should ensure that user access is managed consistently through common guidelines and procedures across platforms, regions and branches:

SIAD, in collaboration with ITB, is proceeding with an initiative to centralize the access provisioning and de-provisioning responsibilities for the mainframe environment. Currently this process is decentralized which has led to discrepancies in operational best practices. By having a national centralized service delivery model, it will eliminate any inconsistencies in UAM procedures for the mainframe platform. This initiative will be completed by March 31, 2014 at which time user access provisioning and de-provisioning for the mainframe environment will be processed through this centralized service.

To address the recommendation that SIAD should ensure that segregation of duties controls are implemented, tested and monitored to ensure that they are working as intended:

SIAD has completed the draft of a new directive on segregation of duties that will provide direction and guidance on the administration and roles and responsibilities of this control within the Agency. The Directive is currently undergoing stakeholder review and will be distributed and communicated to all employees by September 30, 2013. Through consultation and engagement of the IAM Working Group and Steering Committee, SIAD will coordinate the development of templates and direction for identifying and documenting conflicts as well as a strategy document that will include recommendations and plans for implementing, testing and monitoring segregation of duties conflicts within this control. This strategy document will be developed by September 30, 2013.

3.0 Monitoring

Policy mandates that supervisors/managers must review user access privileges at least semi-annually to ensure that the accesses to the Agency's IT platforms and information are in accordance with assigned work-related activities. Inadequate monitoring of access activities impacts the timely identification of inappropriate access and inappropriate activities for corrective action.

Roles and responsibilities for monitoring are not clearly defined and understood. The process of monitoring is not consistently managed across the Agency.

The current review tool (ESAR) lacks some information required to perform a full user access review. Access information from the eBCI platform, consultant / external (CRA Partner) users and generic accounts is not currently provided to supervisors/managers. The tool does not enforce that the appropriate supervisory authority (i.e. immediate supervisor) reviews user access.

F&A has made progress in improving the monitoring controls and the tool: Revenue Ledger (RL) information was added in December 2011 and privileged access is highlighted to ensure that it is properly reviewed.

Privileged users can be identified but their activities are not monitored on all platforms by the appropriate supervisory authority.

Recommendations

SIAD should mandate the use of a standardized tool for the semi-annual access review process. This tool should also provide complete information (including external users and all platforms) to appropriate supervisors/managers for the review.

SIAD should ensure that a designated authority monitors the activities of all privileged users across the platforms.

Action Plan

To address the recommendation that SIAD should mandate the use of a standardized tool for the semi-annual access review process. This tool should also provide complete information (including external users and all platforms) to appropriate supervisors/managers for the review:

The use of the ESAR tool during the semi-annual review process has been made mandatory as of the December 2012 review.

As a result of the implementation of the AIS through Phase 2 of the IAM project in February 2013, SIAD will have a repository that includes complete information on all users of all platforms (internal and external). Through the scope of Phase 4 of the IAM project, SIAD will be connecting the ESAR tool to the AIS for the source of data to be populated within ESAR and therefore include information on all user accounts across all platforms and including multiple and generic accounts for all user accounts for employees, contractors and external partners. Phase 4 of the IAM project is currently in the options analysis stage with an implementation of 2015-16.

As an interim procedure until ESAR is converted to the AIS database, SIAD will:

  • develop and implement new procedures for the validation of all new and existing external users and for the regular review of their access permissions; this process will be implemented by March 31, 2014; and
  • initiate a pilot project to target access reviews for one of the major eBCI platform applications (Synergy) that is not currently included in the ESAR tool and semi-annual process. This pilot project will be completed by March 31, 2014 at which time SIAD will evaluate other eBCI applications for a similar review.

To address the recommendation that SIAD should ensure that a designated authority monitors the activities of all privileged users across the platforms:

SIAD will develop a strategy to implement a process for monitoring actions taken by users with approved PURM accesses. This strategy will be developed by September 30, 2013.

Conclusion

Internal controls, including policies and standards, are in place and working to support the achievement of established goals and objectives for UAM. UAM continues to evolve with the creation of tools and new initiatives. However, certain opportunities exist for the Agency to further strengthen its processes to ensure that UAM is managed effectively and efficiently, and in a consistent and standard manner, including the following:

  • Procedures should be comprehensive and documented to ensure consistency;
  • Supporting tools should be consistent and current across all regions and branches;
  • Roles and responsibilities should be clearly defined and communicated in a timely manner for certain activities (provisioning and monitoring); and
  • The compliance of UAM requirements as stated in policy and standards should be improved.

By addressing the findings above, the Agency can further strengthen the processes in order to ensure that UAM within CRA is managed effectively and efficiently, and in a consistent and standard manner.

Appendix A - Platform Descriptions

Platform name Platform acronym Description

Mainframe (Data Centre Heron and Data Centre St. Laurent)

Mainframe (DCH and DCSL)

Platform that hosts IBM z/OS infrastructure which provides online and batch processing for CRA applications and databases.

Distributed Computing Environment

DCE

Platform that hosts CRA workstations, laptops and servers running Microsoft Windows operating system software and Active Directory services.

Electronic Business Computing Infrastructure

eBCI

Platform that hosts internal and external web-based Java applications and Commercial-off-the-shelf (COTS) products.

Systems, Applications, and Products in Data Processing – Corporate Administrative System

SAP–CAS

The Corporate Administrative System (CAS) is an enterprise resource planning system which serves as the central repository for most of CRA’s corporate Financial, Human Resources, Materiel, and Facilities data. A SAP UserID must exist in CAS before access is given to other platforms.

Systems, Applications, and Products in Data Processing –
Revenue Ledger

SAP–RL

Financial management system (RL) which holds program financial data for the provision of standardized external reporting in accordance with Treasury Board Accounting Standards and other financial reporting requirements. Access to RL is provided through a SAP RL UserID which must match the CAS UserID.

Glossary

Acronym Description

AIS

Authoritative Identity Store

CAS

Corporate Administrative System

CPI

Corporate Policy Instrument

CRA

Canada Revenue Agency

DCE

Distributed Computing Environment

DCH

Data Centre Heron

DCSL

Data Centre St-Laurent

eBCI

e-Business Computing Infrastructure

ESAR

The Employee System Access Review

F&A

Finance and Administration Branch

FAM

Financial Administration Manual

GAA

Generic Account Administration

IAM

Identity and Access Management

InfoZone

Agency Intranet

IT

Information Technology

ITB

Information Technology Branch

NGE ID

Non-Government Employee Identifier

OGD

Other Government Department

PRI

Personnel Record Identifier

PURM

Privileged User Risk Management

RBAG

Role Based Access Guide

RL

Revenue Ledger

SADC

System Access Definition Catalogue

SAP

Systems, Applications, and Products software

SIAD

Security and Internal Affairs Directorate

TBS

Treasury Board Secretariat

TF469

User Access Authority Form

UAM

User Access Management

UIASS

User Identification and Authentication Security Standard

UserID

CRA user identity

VCAs

Divisional Access Control Administrators

Footnotes

Footnote 1

Finance and Administration Manual, Security Volume, Chapter 17-Access Accountability and Authentication to Agency Information Technology Systems Policy

Return to footnote 1 referrer

Footnote 2

Ibid

Return to footnote 2 referrer

Footnote 3

ITB, DTIM, Performance Indicators Performance Report, Quarter 1, 2012/13

Return to footnote 3 referrer

Footnote 4

The environment where taxpayer/registrant information is entered processed and maintained.

Return to footnote 4 referrer

Footnote 5

Operational Security Standard: Management of Information (MITS 16.3)

http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text#sec3.4

Return to footnote 5 referrer

Date modified:
2013-07-12