Audit of NRCan's Business Continuity Management Process

Presented to the Departmental Audit Committee (DAC)
October 19, 2021

Table of Contents

• Executive Summary
  • Introduction
  • Strengths
  • Areas for Improvement
  • Internal Audit Conclusion and Opinion
  • Statement of Conformance
• Introduction
  • Audit Purpose and Objectives
  • Audit Considerations
  • Scope
  • Approach and Methodology
  • Criteria
• Findings and Recommendations
  • BCM Governance Structure, Communication, Reporting Mechanisms, and Training and Awareness
  • Risk Management Activities and Processes
  • Management Processes, Compliance with Policy, and IT Solutions
• Appendix A – Audit Criteria
• Appendix B – Acronyms & Abbreviations

Executive Summary

Introduction

Business continuity management (BCM) is the process of identifying and planning for possible major service disruptions in an effort to minimize their impact on an organization’s ability to perform its critical functions. Effective BCM is vital to an organization’s ongoing stability and success, as it prepares efficient responses to interruptions and aims to proactively address internal and external threats. The onset of the COVID-19 pandemic has highlighted the importance of effective BCM practices for all organizations.

As a key component of organizational security, the requirements for Government of Canada (GoC) Departments to create and implement BCM processes are stipulated in two Treasury Board (TB) policy instruments; the Policy on Government Security (PGS), and the Directive on Security Management. The TB Policy on Service and Digital is also complimentary to these policy instruments. Together, the instruments aim to ensure that Departments have established effective security controls to support the timely and effective delivery of products and services to Canadians.

The Emergency Management Act (EMA) identifies the accountabilities and responsibilities of federal ministers relating to emergency management in Canada. Consequently, BCM relates to this core mandate by seeking to prepare the functions that are deemed critical to the success of the Department’s mandate in the event of a major service disruption. Through BCM, critical functions may continue to operate, and provide the EMA related activities for which Natural Resources Canada (NRCan) is responsible.

NRCan’s Security and Emergency Management Division (SEMD) within the Corporate Management and Services Sector (CMSS) is responsible for the Department’s BCM Program; however, business owners are responsible for the management and operation of the Department’s mission critical functions and systems. NRCan activated its business continuity plan (BCP) in response to the COVID-19 pandemic on March 15th, 2020, and employees were instructed to work from home until further guidance was provided. NRCan’s strategy for continuing operations during a BCP activation includes an alternate site that can be used under the Common Office Recovery System (CORS); however, this site has not been used given the nature of the pandemic.

The objective of the audit was to assess the effectiveness of NRCan’s security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The audit also identified lessons learned emerging from the activation of the BCP in March 2020 due to the global pandemic.

Strengths

The Department has demonstrated flexibility and agility in its efforts to achieve BCM objectives in response to the COVID-19 BCP activation. A Chief Security Officer (CSO) led governance committee that provides an oversight function over BCM was recently renewed. In addition, some business impact analysis/business continuity plan (BIA/BCP) tools have recently been updated in consultation with Public Safety (PS). While there is no complete Departmental BCP in place, the Department has begun to prepare a draft BCP and intends to finalize it.

Areas for Improvement

The Department is exposed to a number of risks due to BCM processes requiring significant improvement. Opportunities were identified to improve the BCM governance structure and management processes to oversee and coordinate the Department’s BCM. This includes defining and communicating roles and responsibilities, developing a BCM training and awareness program, and strengthening internal monitoring and communication processes. Opportunities also exist to strengthen departmental BIA and BCP activities to ensure they are thoroughly documented, routinely approved by senior management, and supported by regular risk assessments as well as a formal testing program. Furthermore, opportunities were identified to document plans, definitions, and requirements for critical services IT components. There also exists an opportunity to ensure that BCM continuous improvement efforts are strengthened, including the regular monitoring of BCM operations as well as timely follow-up and lessons learned activities.

Internal Audit Conclusion and Opinion

In my opinion, although some elements of a BCM program are in place at NRCan, several are not working effectively and require significant improvement. Specifically, opportunities exist to strengthen the effectiveness of the security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The importance of departmental BCM activities will require management’s timely attention in addressing the areas identified in this audit to ensure that the Department will be prepared to meet its objectives in the event of a BCP activation.

Statement of Conformance

In my professional judgement as Chief Audit and Evaluation Executive, the audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the GoC’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CIA
Chief Audit and Evaluation Executive
October 19, 2021

Acknowledgements

The audit team would like to thank those individuals who contributed to this project, particularly employees who provided insights and comments as part of this audit.

Introduction

Business continuity management (BCM) is the process of identifying and planning for possible major service disruptions in an effort to minimize their impact on an organization’s ability to perform its critical functions. Effective BCM is vital to an organization’s ongoing stability and success, as it serves to reduce the impact of service interruptions and aim to proactively address internal and external threats. The onset of the COVID-19 pandemic has highlighted the importance of effective BCM practices for all organizations.

As a key component of organizational security, the requirements for Government of Canada (GoC) Departments to create and implement BCM processes are stipulated in two Treasury Board (TB) policy instruments; the Policy on Government Security, and the Directive on Security Management. The TB Policy on Service and Digital (PSD) is also complimentary to these policy instruments. Together, the instruments aim to ensure that Departments have established effective security controls to support the timely and effective delivery of products and services to Canadians.

Furthermore, the Emergency Management Act (EMA) identifies the accountabilities and responsibilities of federal ministers relating to emergency management in Canada. Consequently, BCM relates to this core mandate by seeking to prepare the functions that are deemed critical to the success of the Department’s mandate in the event of a major service disruption. Through BCM, critical functions may continue to operate, and provide the EMA related activities for which Natural Resources Canada (NRCan) is responsible.

The BCM cycle is comprised of five overarching components (depicted to the right). The cycle begins with a business impact analysis (BIA), in which the major risks facing an organization are identified, and an assessment of their impact on critical service functions is performed. A business continuity plan (BCP) is developed based on the outcomes of the department’s BIA, outlining the activities and procedures to implement in the event that a major service disruption actually occurs. Awareness and training are intended to prepare employees to deliver an efficient, coordinated BCP effort. Regular testing of the BCP ensures that the organization is continually in an appropriate state of preparedness. Finally, regular monitoring of the various BCM components ensures future BIAs are well-informed and up-to-date, ensuring the continuous improvement of an entity’s BCM practices.

NRCan’s Security and Emergency Management Division (SEMD) within the Corporate Management and Services Sector (CMSS) is responsible for the Department’s BCP Program. SEMD finalized the Standard on Business Continuity Management (the Standard) in August 2018. The objectives of this document are to ensure the continued delivery of critical business functions, limit the loss of public trust, reduce the financial and economic hardship to Canadians, reduce the disruption of internal government operations, and diminish the negative impacts on international, federal, provincial and territorial relations. The Standard intends to outline the roles and responsibilities of various stakeholders within the Department, including SEMD, the Chief Information Office and Security Branch (CIOSB), and Sector Management and BCM leaders. The Standard also outlines the overarching steps for developing and addressing BCM activities.

NRCan activated its BCP in response to the COVID-19 pandemic on March 15th, 2020, and employees were instructed to work from home until further guidance was provided. The Department’s mission critical systems are managed and operated at the sector level by business owners. NRCan has an alternate site that can be used under the Common Office Recovery System (CORS); however, this site has not been used given the nature of the pandemic.

Appendix B provides a list of acronyms used throughout the audit report. This audit was included in the 2020-2025 Integrated Audit and Evaluation Plan, approved by the Deputy Minister on August 27, 2020.

Lessons Learned from the COVID-19 Pandemic

Boxes appear throughout the audit report highlighting lessons learned that could be included in preparations for future activations. During the course of the audit, the audit team identified key lessons learned emerging from NRCan’s response to the COVID-19 pandemic that did not fall within the scope of the audit and chose to include them throughout the report using this format. The assessment of lessons learned during a BCP activation is a key element for continuous improvement of a mature business continuity management process.

Audit Purpose and Objectives

The objective of the audit was to assess the effectiveness of NRCan’s security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The audit also identified lessons learned emerging from the activation of the BCP in March 2020 due to the global pandemic.

Specifically, the audit assessed whether:

• Adequate security governance structures have been established to oversee and coordinate the Department’s business continuity management components at the departmental, sectoral, and regional levels;
• Risk management activities are adequately designed, implemented, and continually updated to enable a continual state of readiness to deliver on NRCan’s mandate in the event of service disruption;
• Adequate processes have been established to ensure the operating effectiveness of NRCan’s critical business functions in the event of a BCP activation; and
• Lessons learned emerged from the activation of NRCan’s BCP in March 2020 due to the global pandemic.

Audit Considerations

A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. A summary of the key underlying potential risks that could impact the effective implementation of NRCan’s BCM include:

• Adequate security governance structures support departmental, sectoral, and regional planning and responses to an event that requires the BCP to be activated, including appropriate identification of relevant roles and responsibilities throughout the Department;
• Effective and adequate business impact assessments exist, and are implemented correctly, to identify the Department’s critical functions, and to ensure that unmitigated risks are addressed;
• Effective processes are designed and support the adequate implementation of the BCP in the event of a BCP activation, including the implementation of BCP testing exercises, continuous improvement initiatives, and training activities; and
• BCPs were effectively activated and implemented in response to the COVID-19 Pandemic, and the lessons learned from that experience have been documented by the Department.

Scope

The audit focused on the current and planned business continuity management activities and initiatives within the Department. Given the department-wide contribution to the BCP program, it included an examination of the roles, responsibilities, and accountabilities of the various sectors, including SEMD, which is the Office of Primary Interest located within CMSS. The audit timeline covered the period commencing with the effective date of the TB Policy on Government Security, July 1, 2019, through to July 2021.

The audit did not focus on emergency management activities as these were covered by a recent audit. The audit also did not focus on departmental disaster recovery plans (DRPs), except where there was a direct relevance to BCM. This audit did not assess the adequacy or effectiveness of the Department’s integrated risk management framework and corporate risk profile, nor the supporting processes used to develop and update them.

The results of previous advisory, audit, and evaluation projects on related topics was also considered by the audit team.

Approach and Methodology

The approach and methodology used in this audit followed the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (IIA Standards) and the Treasury Board Policy of Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with independence and objectivity as defined by the IIA Standards.

The audit included the following key tasks:

• Interviews with key personnel and committee representatives;
• Review and testing of the Department’s documentation and business processes with regards to business continuity planning;
• Identifying and reviewing best practices identified in other government departments; and
• Review of key Policies and Directives.

The conduct phase of this audit was substantially completed in July 2021.

Criteria

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

Findings and Recommendations

BCM Governance Structure, Communication, Reporting Mechanisms, and Training and Awareness

Summary Finding

Overall, the Department demonstrated flexibility and agility in the efforts and actions it took to achieve BCM objectives in response to a BCP activation. While CIOSB has designed and implemented some processes to direct and oversee the Department’s BCM components, opportunities were identified to improve the BCM governance structure and management processes to coordinate the Department’s BCM components at the departmental, sectoral, and regional levels. Opportunities were also identified to ensure that roles and responsibilities are defined and communicated, and that NRCan develops awareness and training programs to build BCM skills and capacity. Furthermore, an opportunity to improve internal monitoring and communication processes was identified, which could provide sectors and regions a better understanding of their requirements and of the priorities of the Department as it pertains to BCM.

Supporting Observations

The audit team expected that adequate governance structures would have been established to oversee and coordinate NRCan’s BCM components at the departmental, sectoral, and regional levels. Furthermore, it was expected that roles, responsibilities, and accountabilities would be clearly defined and communicated to those being charged with these responsibilities. The audit team expected that the Department has established adequate communication mechanisms between sectors and the central coordination function responsible for the BCP program, as well as, reporting mechanisms to ensure that SEMD and governance committees receive accurate, complete, and timely information allowing them to effectively guide and oversee business continuity processes. Lastly, the audit team expected that adequate formal training and awareness programs would be established to develop the required skills and capacity within those roles assigned BCM responsibilities, thereby enabling effective performance in response to the activation of a BCP.

Governance Structures

The audit team found that an Assistant Deputy Minister (ADM) level committee, the ADM Security Emergency Management and Intelligence Committee (ADM SEMIC), and a Director General (DG) level governance committee, DG SEMIC, were established in support of BCM activities. However, the ADM-level committee has not met since 2019, and the DG-level committee had not met since 2018, until it was reconvened by the Chief Security Officer (CSO) in December 2020. During the pandemic, the Department chose to utilize other committees to exercise governance and oversight of the organization’s response. The audit team found that this renewed DG committee has been meeting monthly since January 2021, that it includes a relevant list of members, and that it is fulfilling its mandate. CMSS developed and updated a Terms of Reference (TOR) for DG SEMIC indicating that it intends to report to NRCan’s senior management through the Operations Committee. However, the audit team noted that, since January 2021, information resulting from DG SEMIC meetings has yet to be provided to the Operations Committee.

The audit team found that a Business Continuity Management Working Group (BCM WG) was formed, intending to report upwards to DG SEMIC. The working group’s TOR does not identify the frequency with which the group intends to meet. SEMD indicated that while the BCM WG met quarterly, meeting minutes or records of decision were not retained. The BCM WG membership includes BCP Leaders from each sector who have been assigned to the working group by the Sector ADM. The audit team noted that the BCM WG membership list was not kept up to date.

Lessons Learned from the COVID-19 Pandemic #1

When using an adaptive management approach for BCM, it should be supported by a clear plan to form a basis for management decisions. At the onset of the pandemic, NRCan employees were instructed to work from home. The Department demonstrated agility by quickly convening a Senior Management Committee, which met on a daily basis to oversee the evolving situation, and make rapid decisions based on the information available. A COVID-19 committee was also created, and disseminated all-staff messages and guidance to NRCan employees through the COVID-19 mailbox and was used to answer questions raised by staff. The audit team also noted that senior officials overseeing critical functions had to make decisions in the absence of established protocols. As a result, an adaptive management approach was taken, which meant that decisions sometimes had to be amended based on new information and guidance from central agencies. The results of focus group interviews performed by auditors indicated that while participating managers and staff were generally satisfied with the level of communication received about the departmental response, many indicated a need for more concrete plans, guidance, and protocols.

Roles and Responsibilities

The audit team found that roles and responsibilities for BCM at NRCan are formally and primarily defined in the NRCan Standard on Business Continuity Management (the Standard) (August 2018). The Standard has not been updated despite the TB Directive on Security Management coming into effect in July 2019. Consequently, the audit team found that while the roles and responsibilities in the Standard generally align to the roles outlined in TB guidance, there were some discrepancies. The TB Directive indicates that the CSO of the organization has delegated authority for security management including BCM; however, the Standard does not define or document the roles and responsibilities of the CSO or how their role coordinates with the other various individuals responsible for BCM activities at NRCan. Furthermore, the TB Directive and the Standard are not aligned regarding the assignment of responsibility for the annual report on security which includes BCM.

The audit team also noted that ADMs have been given the responsibility to identify critical functions within their sectors and the NRCan Standard on BCM requires that the master list of critical business functions undergo an annual review by the Executive Committee. The audit team was not able to find evidence of this review being completed as required. The audit team also found that the Standard does not identify BCM roles or responsibilities for the Senior Building Officers (SBOs) in each region in which NRCan operates. In the absence of defined BCM roles and responsibilities or an understanding of where they have authority to permit work to continue, some SBOs working together across regions, created their own BCP documentation in an attempt to standardize their response and decision-making processes.

The Standard was available on the departmental intranet, and SEMD indicated that the responsibilities identified in the Standard were communicated via the BCM WG to the Sector BCM coordinators and leader community. Despite this, the audit team found that many of the members of these groups were not aware of their BCM roles and responsibilities or where they could find their documented roles and responsibilities. In addition, there has been high turnover in the BCM coordinators and leaders group leading to training for new members being required more frequently.

In addition, the audit team found that numerous individuals from all levels, sectors, and regions at the Department who had been assigned BCM responsibilities were not aware of what was expected of them in their assigned BCM role. Therefore the existing methods by which BCM roles and responsibilities are communicated were found to be ineffective.

Communication and Reporting Mechanisms

The TB Directive on Security Management requires that the CSO report at least annually to the Deputy Head on their progress and the achievement of priorities defined in the Department’s security plan. The audit team found that formal reporting to senior management for NRCan’s BCM function and its progress and achievement towards the Department’s priorities has not been completed during the scope period of this audit.

The audit team noted that SEMD communicates with BCM coordinators from each sector who are responsible for coordinating the annual completion of BIAs and BCPs. The main mechanism for these communications is through the BCM WG. As noted above, the audit team found that documentation of BCM WG meetings has not been completed or retained; however, SEMD has created user guides for sectors to rely on when completing the BIA/BCP template, as well as guides to lead and participate in a table-top exercise.

The audit team found that in each building within Canada that NRCan staff occupy, there is a SBO, typically assigned to the DG level, who is responsible for making decisions regarding occupancy and safety of personnel under the building’s Emergency Evacuation Plan (BEEP). During the COVID-19 pandemic, and due to the prolonged nature of the disruptions it is causing, NRCan SBOs are responsible for decisions surrounding building occupancy based on local public health agency guidelines; therefore, they hold responsibilities related to the continuation of NRCan activities, some of which were designated as critical. As a result, in consultation with their peers across the country, they made decisions regarding continuity of operations, including approving the removal of equipment from NRCan buildings. SBOs noted that in some instances they had to amend decisions when guidance was received from CMSS. In many cases, NRCan’s SBOs are responsible for not only the NRCan employees in these NRCan-owned buildings, but also the other tenants of various offices, which include private organizations and other government departments. As such, there was significant importance for SBOs to receive timely information regarding the Department’s priorities and decisions pertaining to building occupancy.

Lessons Learned from the COVID-19 Pandemic #2

Variations in regional circumstances and requirements should be considered. Given NRCan's geographical reach, its plans, strategies, and protocols should be tailored to match the business continuity requirements of different regions, to allow for efficient and effective response strategies. Some regional buildings are owned by NRCan, and SBOs are responsible for private and public sector tenants, which have their own risk tolerances and BCM strategies that may not align with those of NRCan. Guidance offered through the NCR to respond to the COVID-19 pandemic should consider the importance of satisfying the needs and requirements of regional offices and their tenants.

Training and Awareness

Training programs and awareness campaigns are an important component of the BCM cycle. The requirement for NRCan to have these processes in place is identified in the TB Directive on Security Management. This Directive specifically highlights training and awareness as vital aspect contributing to the success of a department’s BCM function.

Overall, the audit team found that there is an overall lack of awareness pertaining to BCM activities. Specifically, the audit team found that at all levels of the Department, there is a lack of understanding of how the Department’s processes and plans for achieving emergency management (EM) objectives differ from those supporting business continuity. The audit team did note that CIOSB conducted a BCM awareness campaign with members of NRCan’s Senior Management Committee prior to an EM tabletop exercise conducted in May 2021, and that many of the individuals interviewed who participated in this exercise indicated that it was well organized and well received.

The audit team learned that individuals asked to act for officials who could not attend meetings were not always well equipped with adequate BCM awareness or training to make the required decisions for which they were given responsibility. This could indicate a lack of awareness of BCM protocols and training for those with delegated responsibilities.

The Standard assigns SEMD responsibility for training BCM Sector Coordinators and Leaders, who are then assigned the responsibility to provide training as required within their “area of responsibility”. However, the audit team noted that the “area of responsibility” for training sectors is not clearly defined or understood. Business Process Owners (BPOs) have the overall responsibility for their critical functions and the processes required to ensure continuity of operations, particularly IT continuity, in the event of a BCP activation. The resulting training to ensure staff are prepared for an activation would need to be specific to each critical function. However, the responsibility for this BCM training and awareness of critical function staff is not clearly assigned in the Standard. The audit team also found that in addition to, and possibly as a result of, departmental guidance lacking clarity, critical functions had not designed or implemented formal training and awareness programs in support of business continuity.

The BCP leader role is typically held at the director or manager level and through various interviews across all sectors the audit team found that the BCM leader role is often assigned to an individual without prior BCM skills or experience. Rather, assignment is based on who has capacity to take on the administrative role of ensuring that BIA/BCP templates are completed on an annual basis. The audit team found that there was not an adequate training program to support and build the skills and capacity of the Sector BCM Leader community to enable them to complete their assigned role and responsibilities related to conducting sectoral BCM training, establishing and leading their Sector’s BCM Working Group, and coordinating BCP exercises.

The audit team found that while SEMD has created and shared a user guide for completion of BIA/BCP templates and guides for participation in a BCP Tabletop exercise, the division has not provided adequate training for BCM Sector Coordinators and Leaders. Furthermore, there was no evidence that a formal training program for the Department had been established to develop the necessary skills and capacity within the Department to achieve its BCM objectives.

Risk and Impact

In the absence of governance committees meeting regularly and basing their activities and decisions on adequate and timely reports, and a clear response structure, there is a risk that oversight is not adequately performed, which could result in the Department being unprepared to respond to a service disruption.

A lack of BCM processes including communication of roles, responsibilities, integration of SBO's role into BCM processes, as well as a training and awareness program to build capacity and develop skills may contribute to individuals at all levels lacking the information to execute their duties required to achieve departmental BCM objectives in support of the Department's mandate.

Recommendations

Recommendation 1: It is recommended that the CSO ensure that:

1. there are adequately functioning governance committees and that there is sufficient, timely, and sustained reporting from BCM WG to DG-SEMIC, and from DG-SEMIC to NRCan Senior Management allowing for adequate oversight of the BCM program and activities;
2. roles and responsibilities and decision-making authorities, including the delegation of these authorities, are reviewed and communicated to ensure that they align with the Department’s plans to achieve its BCM responsibilities in the event of a major service disruption; and
3. a robust BCM training and awareness program is implemented to develop, train, and retain the appropriate skills and capacities required to ensure that the Department is prepared to fulfill its mandate as it relates to BCM.

Management Response and Action Plan

Management agrees with Recommendation #1a.

CIOSB will ensure that a copy or debrief of the BCM WG is provided to DG-SEMIC in a timely manner, furthermore, all materials that are developed as it relates to BCM are reviewed and approved by the BCM WG and DG-SEMIC and presented to NRCan senior management.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: March 31, 2022

Management agrees with Recommendation #1b.

CIOSB will ensure that BCM roles, responsibilities and reporting relationships are communicated to all levels of management, key business continuity stakeholders within NRCAN, and all employees. Roles and responsibilities will also be included in the revised Standard. This includes outlining the CSO functional reporting to the DM. CIOSB will use presentations to management, communiqués to employees as well as training and table-top exercises.

Furthermore, Management agrees to hold a BCM Table-top exercise for Senior Management every year, so that Senior Management are kept abreast of their roles and responsibilities and are well prepared for any events.

First table-top is schedule for November 2021

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: March 31, 2022

Management agrees with Recommendation #1c.

CIOSB will establish a monitoring and reporting framework, which will be an integrated part of NRCAN’s BCM program. The monitoring and reporting framework will include a testing/exercising component as well as a reporting component to capture the number of plans completed, approved, exercised/tested, as well as compliance to NRCAN, TBS and Public Safety’s (PS) policy instruments and technical guidance.

NRCAN will also develop a Training and awareness program for BCM Coordinators, Senior Management and employees. Roles and responsibilities for each group will also be conveyed in the training.

NRCAN’s goal is to test Branch BCMs, which includes critical services and critical support function recovery strategies, on a yearly basis. The reporting component will be used to keep senior management apprised of the business continuity planning programs’ effectiveness and progress. The Sector-level BCM Plan will be reviewed and revised if necessary every year, as outlined in the current iteration of the Branch BCP.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: September 30, 2022

Risk Management Activities and Processes

Summary Finding

Overall, the audit team found that NRCan has established an annual BIA process that is completed for each business function within the Department; SEMD coordinates and reviews the results of this exercise. While SEMD is currently updating the BIA templates and its accompanying user guide in consultation with PA, existing BIAs are out of date, do not receive senior management approval as required by PS guidance, and are not informed by a thorough risk assessment. The audit team also found that a BIA is not conducted for NRCan as a whole, and processes to systematically identify the Department’s critical functions and their recovery objectives do not exist as required by the TB Policy. Existing BIA processes do not offer a complete view of the Department’s vulnerabilities and the impacts of possible service disruptions to help inform ongoing business continuity strategies.

While an overarching departmental BCP is currently being drafted by SEMD, the audit team found that areas for improvement exist for the Department to develop additional procedures to guide the users’ actions in the event of a variety of types of service disruptions. Activation/deactivation triggers have not been defined and there are no formal processes for monitoring the Department’s internal/external environments for potential threats.

NRCan has historically conducted both department-wide BCP tabletop exercises and CORS testing on an annual basis. While neither have been conducted in the last two years, a BCP tabletop exercise is being planned for the fall of 2021. Pandemic tabletop exercises were conducted for critical functions in March 2020 in preparation for the COVID-19 pandemic. However, NRCan has not established a BCP testing program detailing the frequency, content, and objectives of BCP tests. Furthermore, formal procedures for documenting lessons learned for BCP tests and following-up on their implementation have not been documented.

While key lessons learned emerging from the BCP activation were identified by NRCan, opportunities exist to complete the lessons learned exercise in a timely manner, to document actions plans, and to ensure their implementation.

Supporting Observations

The audit team expected that adequate risk management activities have been designed, implemented, and are routinely updated across the Department to enable a continual state of readiness to deliver on NRCan's mandate in the event of a service disruption. It was expected that BIA activities are being conducted on a regular basis to identify critical functions and continuity requirements, and that they are informed by thorough risk assessments used to have a clear perspective of NRCan’s vulnerabilities. The audit team also expected to see established BCP processes which could be effectively leveraged in the event of service disruptions and support the Department in addressing existing and unmitigated risks. Lastly, the audit team expected to see established processes to regularly monitor and test NRCan’s BCM activities, ensuring corrective actions are implemented when appropriate.

In addition, the audit team expected that the Department has established adequate processes to identify lessons learned as part of the March 2020 BCP activation, and that best practices would be documented and implemented, and that follow-up activities would be conducted.

Risk Assessments

Adequate risk assessment processes support an entity’s ability to identify potential vulnerabilities and service disruptions, understand the consequences of possible events, and establish effective mitigation measures where gaps may exist. Risk assessments can inform pre-emptive initiatives to minimize the impacts of service disruptions and improve the overall effectiveness of the BCM program.

The audit team could not obtain evidence that a risk assessment that considers internal and external risks has been conducted to support departmental BCM activities. Interviews with BPOs, BCP leads/coordinators, and CMSS confirmed that routine risk assessments are not taking place for BCM purposes. This type of exercise, when properly executed, would help ensure that potential impacts and consequences of different events are routinely considered, informing the criticality assessments and prioritization of departmental functions. There was no evidence demonstrating that mitigation measures are being implemented as a result of BCM risk assessments at NRCan.

Business Impact Analysis (BIA) Activities

Completing and maintaining an accurate business impact analysis (BIA) is a fundamental step in an entity’s BCM efforts. This step supports the organization in determining the impacts of potential internal/external service disruptions and identifying its critical functions. Those functions deemed critical through a BIA would then be prioritized during a disruption to ensure that the organization’s mandate and overarching objectives are continuously met.

Several key metrics are typically used in order to assess the criticality levels of an organization’s functions’ relative to one another, and to gain a better understanding of their requirements and objectives. PS, which has a role in offering BCM expertise to GoC departments and agencies, established guidance that uses the following definitions for these standard items:

• Maximum Allowable Downtime (MAD): The longest period of time which a service or activity can be unavailable or degraded before a high or very high degree of injury results;
• Minimum Service Level (MSL): The lowest level of service delivery which is necessary to avoid a high or very high degree of injury, and that is maintained until full recovery is achieved for critical services, activities, and business enabling functions (BEFs) - usually expressed as a percent;
• Recovery Time Objective (RTO): The established period of time within which services, activities, BEFs, resources and/or associated assets must be recovered after a disruption, in order to meet the MSL and avoid exceeding the MAD; and
• Recovery Point Objective (RPO): The established point in time up to which data must be recoverable after interruption or disruption in an organization’s information and technology systems.

The audit team found that NRCan does not have an overarching, strategic-level BIA for the Department as a whole to help consolidate departmental BCM requirements and support a coordinated approach to pursuing continuity objectives. Instead, it has established an annual exercise in which each function within the Department completes its own BIA, using a template developed by SEMD. This template has historically contained four major sections, with BPOs providing a description of their service, assessing their criticality level, and documenting their interdependencies and resource requirements. BPOs use their judgement to fill out their respective templates on an annual basis. SEMD coordinates this exercise, reminding sectors to complete their BIAs and conducting follow-up when necessary.

SEMD performs a review of the completed templates once submitted in order to ensure that they have all been updated, and that all fields are completed. Through this review, SEMD also intends to provide a challenge function in which it assesses the appropriateness of some inputs; which may include questioning the self-assessed criticality levels or the MAD/MSL entries. However, the outcomes of this challenge function can sometimes be limited due to the large quantity and breadth of BIA entries as well as the lack of clarity in the role that SEMD has in exercising the challenge function.

The audit team noted that the current BIA template does not include the identification and assessment of RTOs and RPOs, two key metrics supporting BCM initiatives. However, it is worth noting that the BIA template is currently being updated by the SEMD team. A draft version of this template was shared with the audit team, but has not yet been implemented department-wide. The new template is aligned with PS guidance, in that it now incorporates all four key metrics and has expanded its criteria for defining criticality. SEMD has been working with PS in order to update the content of its template.

Overall, the audit team found that there is confusion over self-assessed criticality levels and determining MAD/MSL, as a result of a lack of adequate definitions of terms and BCM training. An accompanying BIA/BCP user guide was developed by SEMD, intended to support BPOs in fulfilling their duties; however, the guide primarily ensures that users fill out each field, instead of disambiguating some of the required input fields to ensure accurate content.

The annual BIA updates do not formally require management approvals or signatures unless the function is classified as critical, which would trigger a requirement for the full completion of a functional BCP. However, with the adoption of the new BIA template, senior management approval will be required on all BIAs, regardless of the criticality level.

The last completed BIA exercise for the Department was conducted in fiscal year 2019-2020. The current year’s iteration has been delayed due to the ongoing COVID-19 pandemic and recent efforts to update the supporting templates and guides. As a result, the content of available BIAs is out of date. A key feature of the BIA is to provide contact information for business owners and their alternates. This information can be leveraged by central departmental functions to coordinate continuity efforts. Given the BIAs have not been reviewed since 2019-2020, contact lists are out of date, and other key items including criticality levels, MAD, MSL, interdependencies, and resource requirements may be less reliable.

The results of the annual exercise are captured and summarized by SEMD in a master list. This document identifies each business function, categorizing them based on their criticality levels. This master inventory currently lists 133 departmental functions, each of which have completed a BIA in 2019-2020. Of the 133 functions, five were classified as a “critical service”, four were classified as a “critical dependency”, and 24 were classified as a “critical support” function, which included all ADM Offices (ADMOs).

Defining Criticality

Through interviews with BPOs, sector BCP leads/coordinators, and various members of CMSS, the audit team noted that there is confusion among those who exercise BCM responsibilities regarding what constitutes a critical function. While PS has developed guidance to this effect, interviewees were not always aware of it. In addition, criticality criteria have not been formally established or documented within NRCan to allow for consistent application between functions.

Standard BCM practice dictates that consequence-based criteria be developed and implemented throughout an organization. This involves determining key consequences that could result from different types of events and service disruptions; these can vary from threats to human safety, loss of access to major facilities, loss of network availability etc. Once the criteria have been established, BPOs would rank their function’s impact on each potential consequence on a standard scale (e.g. a 4-point scale from low to high). These assessments demonstrate the impact of various types of service disruptions for each function, helping an organization prioritize their BCM efforts and ensure that the entity can achieve its continuity objectives for a well-defined list of critical functions or services. By planning for potential consequences of service disruptions, organizations can prepare for disruptions without requiring individual plans for every single type of event requiring an activation.

This type of process has not been present in NRCan’s BCM activities. Instead, the Department has relied on independent self-assessments of criticality by each Sector without standard procedures or formal definitions, which have been approved by senior management, for determining criticality. The result has been inconsistent interpretations and perceptions of criticality among NRCan’s members.

PS guidance identifies five consequence-based criteria that can be used to assess criticality in federal departments. They are: (1) the health of Canadians; (2) the safety of Canadians; (3) the security of Canadians; (4) the economic well-being of Canadians; and (5) the effective functioning of Government. Organizations are expected to assess their impact on a 4-point scale for each criteria in order to determine their overall criticality level. SEMD has incorporated this system into the new BIA template; which has yet to be implemented. While Departmental guidance that would serve to support users in interpreting these criteria, understanding them fully, and applying the 4-point scale consistently is not currently in place, management has indicated that a new BIA/BCP user guide is currently being drafted that would serve this purpose.

The audit team also noted that the Department has not developed an exhaustive, consolidated list of its critical functions and their accompanying recovery objectives, approved by senior management. Such a list would help ensure departmental priorities are clear and understood, allowing for more organized prioritization of resources and efforts during major service disruptions. The audit team identified two consolidated lists of critical functions, one of which exists through the master inventory previously discussed and the other within the draft departmental BCP, last updated in 2016. These two lists are inconsistent with each other, and neither have received senior management approval.

Business Continuity Planning (BCP) Activities

NRCan’s BCP processes are closely linked to the BIA, and are generally conducted in unison. When a BPO has completed their BIA using the template and self-assesses as critical, a BCP must be completed. This BCP is filled out in the same template, which expands to incorporate BCP requirements when a function is deemed critical. Findings previously mentioned regarding the delayed implementation of this year’s annual update and the absence of a supporting risk assessment process also apply to the BCP. At the time of the audit, the new draft BIA/BCP template being developed by SEMD makes minor adjustments to the BCP sections.

In contrast to the BIA, the purpose of a BCP is to outline how an organization will respond to disruptions to maintain acceptable service levels for critical functions. Effective BCPs should provide concrete, relevant guidance for users to address the consequences of service disruptions, which may be common across different types of events. For example, an entity’s BCP might describe procedures to address prolonged loss of access to facilities, which could be caused by a variety of incidents including pandemics or natural disasters. NRCan has produced functional BCPs for 41 functions within the Department, five of which were for critical services, three for critical dependencies, 21 for critical support functions, and 12 for moderately critical functions. NRCan does not currently have a strategic-level BCP process to capture BCM priorities and objectives at the Departmental level to ensure that NRCan’s critical functions share a coordinated strategy that is also in alignment with the broader GoC strategy. This type of process is recommended by PS guidance.

NRCan’s documented BCP processes are captured in three primary sources: the BCP template, the draft departmental BCP, and the Standard. In general, the procedures defined within these documents are broad, and presented at a high-level. Section 3.1 of the BCP template covers activation procedures; it is primarily focused on communication and ensuring that appropriate individuals are contacted. PS’s BCP guidance and suggested templates recommend offering substantial, concrete guidance to users for reference during an activation; however, this is not included in NRCan’s template, which mainly includes steps for contacting individuals to discuss and communicate the potential BCP activation.

Activation procedures are also offered in Section 2.3.1 of the draft Departmental BCP. This section of the plan states that the Department should assign employees to critical service maintenance, direct supporting staff to CORS, ensure key files are available, limit the use of networks where possible, etc. The guidance offered in the draft plan is very general, which can be useful given the wide variety of potential events. The NRCan Standard provides a high-level view of the processes that must be followed in the event of an emergency situation. However, there are no formal procedures and documented processes to address the consequences of different types of service disruptions. Given that the plan is still in draft and has not been approved or widely distributed, the guidance therein has not been leveraged by the Department.

In general, the documented procedures offered through Departmental guidance are primarily focused around initiating the BCP but offer very limited guidance to users as to what concrete actions should be taken once the activation has occurred. As a result, interviews with Sector representatives revealed that the BCPs were not heavily leveraged for the current pandemic, given its lack of clear guidance and perceived utility.

A review of Departmental BCP guidance revealed additional areas for improvement in NRCan’s established BCP processes, they include:

• Current draft plan does not provide thorough procedures for determining when a service disruption or threat is terminated, and how to deactivate the plan once this is confirmed;
• Current BCPs do not capture a list of Memoranda of Understanding or Service Level Agreements in which the Department is engaged to support their BCP activities and response efforts; and
• BCM incident governance, distribution lists, and suggested training or awareness activities are also not incorporated, all of which are suggested additions to BCPs according to PS guidance.

Lessons Learned from the COVID-19 Pandemic #3

Business Continuity Plans should prepare an organization for an event, regardless of the suddenness with which it may occur. Due to the nature of the pandemic, the possibility of a BCP activation was anticipated several weeks before the activation of NRCan’s BCP. NRCan’s agile response to the pandemic may have stemmed from this advanced warning, allowing for plans and preparation for a pandemic to occur. However, if a more sudden event occurred (e.g. fire, major geologic hazards, or network failure due to a cyber attack), the Department could face some challenges in adequately responding to these events if plans were not established in advance.

BCP Coverage

According to recognized best practices and PS guidance, an effective BCP should address a wide variety of service disruptions, by offering suggested actions that address the different types of resulting consequences. These consequences and impacts are normally generated through risk assessments and BIA exercises. With adequate BCP coverage, an entity could effectively react to a wide array of service disruptions, quickly evaluating its needs, mobilizing the appropriate resources, and implementing pre-established recovery strategies.

The audit team found that NRCan’s BCP documents are heavily centered on the CORS. CORS has been developed as a recovery strategy in which senior managers and key personnel congregate to an alternate site in Ottawa. The temporary location would be fitted with workstations operating with a barebones system to ensure critical functions can resume their work. The CORS strategy may not accommodate the circumstances of NRCan’s critical functions which are located in regional offices. While CORS could be an effective response strategy to certain types of service disruptions, it does not apply to a wide variety of cases including pandemics and widespread network unavailability.

Lessons Learned from the COVID-19 Pandemic #4

When preparing for possible incidents, all consequences should be considered. Prior to the pandemic, reliance was placed on the CORS as a key part of the Department’s BCP strategy, which was not used given the nature of the pandemic and the requirement to work remotely. Knowing that some events (e.g. cyber attacks, or network failure) may impact the ability of the workforce to work remotely, plans and preparation should reflect this possibility and avoid over-reliance on telework as a response to future service disruptions requiring a BCP activation.

Activation Triggers

Although activation procedures are provided within NRCan’s BCP documentation, there is limited guidance relating to when the BCP should actually be activated in the first place. Clear BCP triggers have not been defined by the Department. There was also no evidence of established procedures and detection mechanisms to alert the Department of potential events that could lead to service disruptions, whether that be in the form of communications with external parties or through regular environmental scans. Processes for assessing alerts, and determining the severity of detected threats have not been established. A good industry practice is to align activation triggers with other crisis management procedures including EM and building evacuation plans and to develop an approved list of alert criteria that BCP users can leverage to assess a potential disruption and determine what type of response is merited. However, alert criteria have not been developed, and there is limited guidance surrounding aligning the type of BCP response with relevant impact levels.

According to the Standard, the moment an emergency event occurs, it is expected that a teleconference would take place among senior BCM officials to determine whether the BCM should be activated. However, this process is unlikely to be activated except in the case of extreme emergencies. This level of coordination would not apply for smaller events, or near misses, which may still require some form of BCP response. NRCan has not established different response strategies to accommodate varying levels and categories of service disruptions.

BCM Testing and Exercises

According to PS guidance, entities should develop and implement a testing program, in order to continuously validate their plans and state of preparedness and reinforce the departmental BCM practices. Regular testing of BCPs helps to promote an acceptable state of preparedness, in accordance with departmental practices. It provides the opportunity to validate plans, identify deficiencies, and exercise BCM teams. Testing programs typically span multiple years and detail the various tests and exercises to be conducted on an annual basis. These programs should be approved by senior officials and follow clear, documented testing objectives.

PS guidance suggests that planned testing initiatives be aligned with the entity’s objectives and the overall maturity of its BCM practices. Different levels of testing are possible, varying in terms of their relative complexity and involvement. BCM tests can span from drills, to tabletop exercises, to full simulations. Ideally, a testing program would follow a ‘building block approach’, in which annual exercises are conducted that gradually increase in their level of complexity, as the entity builds its BCM knowledge and capacity. The time and resources dedicated to testing should reflect its BCM maturity.

The audit team found that two types of BCP tests have historically been conducted on an annual basis at the Departmental level. The first is a department-wide tabletop exercise. This involved coordinating and gathering NRCan representatives from multiple Sectors to walk through varying sets of circumstances and discuss Departmental response mechanisms and strategies. The second was the annual CORS testing, in which key members of the Department would gather in the central location and practice using the alternative infrastructure and systems. Neither of these exercises have been conducted within the last two years, with the latest BCM department-wide tabletop exercise having taken place in 2017, and the latest CORS simulation in 2018. However, management has indicated that it plans to conduct an annually reoccurring Department-wide BCP tabletop exercise beginning in the fall of 2021, as well as to conduct an annual EM session each spring. The first of these reoccurring EM tabletop exercises was held in May 2021 for the NRCan Senior Management Committee; included during this exercise was a BCM awareness session for participating senior managers as noted previously with regard to training and awareness.

In March 2020, the Department conducted seven tabletop exercises with the sectors containing critical functions in anticipation of the COVID-19 pandemic. This exercise was intended to help determine whether the critical services could be delivered from any location, that resources were equipped accordingly, and to ensure that employees designated in the plan were familiar with its contents. The exercise involved gathering business owners, critical staff, and their alternates from across the Sectors and presenting them with hypothetical scenarios associated with a pandemic (e.g. whether they were able to fully transition to remote working, whether they could compensate for critical employees randomly becoming ill and not being able to perform their functions, etc.). For each scenario, sector representatives reflected on whether adapting to these situations was feasible in the current conditions. The pandemic tabletop exercises were effective in preparing critical employees in their respective responsibilities and were well received by Sector representatives.

While the pandemic tabletop exercises were effective, BCP tests were not conducted at the departmental level over the past year. NRCan has not established a formal BCM testing program to evaluate existing procedures, identify potential gaps in plans, measures and arrangements, as well as to support the continuous improvements of departmental BCM efforts. BCP testing strategies and objectives have not been approved by a member of senior management. As noted above, the audit team learned that a BCM exercise is planned to be held in fall 2021. As this exercise was not conducted as of the time of the audit, the audit team was not able to assess whether the exercise adequately supported continuous improvement efforts.

Follow-Up and Monitoring Activities

Capturing lessons-learned from BCM exercises is an essential step to ensure the continuous improvement of the overall BCM framework. Best practices dictate that lessons learned should be formally documented, communicated to relevant parties, and actioned where appropriate. Ensuring an appropriate, timely response to potential gaps or weaknesses highlighted during an exercise requires establishing accountabilities for implementing any lessons learned, as well as routine follow-up efforts to track their completion.

SEMD produces after-action reports following departmental BCM testing exercises. These reports typically include the nature of the tests performed, key outcomes, and the resulting lessons learned. For example, the pandemic tabletop exercises conducted in 2020 yielded after-action reports for each critical function. Within these after action reports, Sectors were asked to identify gaps discovered in their existing processes that could inhibit proper functioning during a pandemic situation. Business owners were also asked to list action items they should implement that will improve their ability to effectively respond to the pandemic.

Results from the pandemic tabletop exercises were consolidated into a single after-action report, summarizing all of the findings and exercise outcomes. SEMD has developed a tracking sheet that lists each action item, the accountable implementation lead, and the current implementation status. Through this tracking sheet, SEMD was able to ensure that the outcomes of the tests are incorporated into future BCM efforts, enabling continuous improvement. Despite evidence demonstrating that the results of the most recent BCM testing exercises were documented and followed-up on, there are no standardized procedures in place within the Department to ensure this is done consistently by all sectors. Approved processes and procedures describing the actions that should be taken post-exercises, including the appropriate documentation and follow-up of action items for BCP improvements, are not in place.

According to PS guidance, to ensure BCM programs continue to meet the needs of an entity, BIAs and BCPs must be regularly reviewed and updated to account for changes in services and activities, resource requirements and availability, and environmental threats. Both internal and external BCM monitoring activities should be established to support continuity efforts.

PS guidance indicates that internal BCM monitoring can be achieved through examining the impacts of major organization changes, developing post-incident reports, reviewing after-action reports following exercises, and keeping apprised of industry best practices. External monitoring can take the form of regular risk assessments and environmental scans to encourage proactive responses to major events and improved preparedness. The audit team could not obtain evidence that formal internal or external monitoring activities and procedures are documented to support the BCM program.

Lessons Learned relating to COVID-19

On March 15, 2020, the Department activated its business continuity processes in response to the Global COVID-19 pandemic. This was the first time that such an activation has taken place at NRCan. The TB Directive on Security Management requires that each department review and maintain BCPs based on the results of tests and the activation of plans to ensure that BCM practices continue to meet the needs of the department. Furthermore, while not required by the TB Directive, a best practice includes identifying lessons learned based on BCP activations or events that have occurred to similar organizations as well as ‘near miss’ incidents that could have had a more serious impact (e.g. cyber attack in a similar department, or a fire in a neighboring building).

While the Department’s BCM guidance does not formally require the identification of lessons learned and the remediation of issues in a timely manner following a BCP activation, SEMD began obtaining input from sectors and recording the lessons learned from the first wave of the pandemic in a “COVID-19 1st Wave After Action Report’’. The lessons learned recorded via this exercise pertained to a wide variety of topics, not limited to BCP. However, the audit team found that this exercise was not conducted and completed in a timely manner. Specifically, as of June 2021, the report is still in a draft phase and has not been shared with management. Lessons learned have been collected, but next steps and plans for remediation and implementation have not been documented.

Risk and Impact

In the absence of adequate BIA and BCP processes, there is an increased risk that departmental resources and efforts are not properly prioritized in the event of a major service disruption, potentially leading to prolonged service interruptions. Delayed or ineffective response procedures, including defined activation triggers, increases the likelihood that NRCan’s critical services are not recovered to an appropriate level within an acceptable period of time and properly maintained. Such interruptions could ultimately impact the Department’s ability to deliver the services that are deemed critical.

Without appropriate BCP testing, lessons learned, and follow-up activities, there is a risk that established BCM processes are not functioning as intended. Gaps and deficiencies in existing procedures may persist without notice or remediation for extended periods, hindering NRCan’s response efforts and the continuous improvement of BCM processes.

When lessons learned exercises are not completed, implemented, and corrected in a timely manner, there is a risk that the Department may not be adequately prepared to respond to subsequent and/or concurrently occurring service disruptions, such as a network failure.

Recommendations

Recommendation 2: It is recommended that the CSO establish processes to ensure the development and implementation of:

1. Thorough BIA activities, supported by regular risk assessments and approved by senior management on a regular basis;
2. Updated BCP activities, including concrete operating procedures for a variety of service disruptions, as well as activation, deactivation, and monitoring procedures;
3. A formal BCM testing program outlining the objectives, types, frequency, and post-exercise actions for departmental BCM tests; and
4. A lessons learned process that is adequately designed, implemented, and operating in a timely manner during and after BCP activations to ensure that best practices are documented and that issues are tracked until remediated.

Management Response and Action Plan

Management agrees with Recommendation # 2a.

CIOSB has developed a BIA template which will be sent to sector BCM coordinators for review and approval. Sectors will use the BIA template for their annual review. Sector BIAs will require formal approval by sector head and brought to the DG-SEMIC governance committee. A formal risk assessment program will be developed and implemented in the next fiscal year to ensure compliancy to NRCan, TBS and PS policies.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: September 30, 2022

Management agrees with Recommendation # 2b.

CIOSB will continue to review and revise all BCM activities, which includes operating procedures for a variety of service disruptions. Standard Operating Procedures (SOP) will be reviewed based on a risk analysis and using “After Action Reports” following major events. i.e., wild fires. Once each SOP is reviewed and approved, they will be provided to Subject Matter Experts and included in the training and awareness products. In addition, CIOSB will engage sectors BCM Coordinators in the review and implementation of those procedures. CIOSB will ensure everyone that plays a role in BCM are trained and have knowledge of what to do during an emergency.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: June 30, 2022

Management agrees with Recommendation # 2c.

CIOSB will be establishing a monitoring and reporting framework, which is an integrated part of NRCan’s business continuity management planning program. Management will continue to revise and review this reporting framework to ensure compliancy with NRCAN, TBS and PS’s policy instruments and technical guidance. NRCAN’s goal is to test Branch BCPs, which includes critical services and critical support function recovery strategies, on a yearly basis. The reporting component will be used to keep senior management apprised of the business continuity planning programs’ effectiveness and progress.

The Sector-level BCP will be reviewed and revised if necessary every year.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: December 31, 2022

Management agrees with Recommendation # 2d.

CIOSB will ensure lessons learned from BCM events are documented, continuously reviewed and implemented when a BCP is activated. In addition, these lessons learned will be presented to DG-SEMIC, and incorporated in the training and awareness products.

Timing: June 30, 2022 – process will be defined.

Management Processes, Compliance with Policy, and IT solutions

Summary Finding

Overall, the audit team noted several areas of non-compliance with the TB Policy on Government Security (PGS), the Directive on Security Management, and the NRCan Standard on BCM. The audit team found that critical functions have designed and implemented IT solutions to support their BCP IT continuity objectives and a Major Incident Management Plan (currently in draft form) establishes an updated list of critical business applications and services. However, opportunities exist for the Department to establish internal guidance to improve alignment with, and the achievement of, TB policy objectives and expected results through the creation of department-wide plans and written agreements, as well as through establishing clear expectations for BPOs of critical functions.

Supporting Observations

The audit team sought to determine whether NRCan had developed and implemented an adequate policy suite and department-wide plans to achieve compliance with the requirements set out in the TB PGS and the Directive on Security Management. The audit team expected that the Department has designed and implemented IT solutions to support and achieve its continuity objectives and that the Department has established processes to ensure that resources are prioritized and effectively distributed to critical functions. Through the effective completion of these activities prior to an activation, an organization can improve its level of preparedness and thereby contribute to the effectiveness of the Department’s ability to continue to operate its critical functions in the event of a service disruption occurring.

Compliance with TB Policy and Development of Internal Guidance

TB has established a policy suite to guide GoC departments and agencies in the establishment of their respective BCM policy suite. This suite includes the PGS, the Directive on Security Management and PSD. In addition, PS is identified as having a role in providing expertise to GoC departments and agencies and does so through BCM guidance, which is published and available on the GCPedia webpage.

The audit team found that NRCan does not have a departmental level BCP that has been finalized or approved. A draft departmental plan does exist; however, it was last updated in 2016. While business function specific continuity plans were obtained and examined, the audit team noted that there is no central strategic level document to guide and inform the Department on BCM processes.

Through an examination and comparison of the Department’s internal policies and plans against the TB policy suite pertaining to BCM, the audit team found that NRCan’s internally developed guidance is generally aligned with external guidance from TB policy and PS guidance. However, several areas of improvement have been identified, including that NRCan’s policies and standards do not adequately stipulate the roles and responsibilities related to testing BCPs and the expected training requirements. Currently, the NRCan Standard on BCM does not identify the TB requirement for senior officials to review the training program. Another area of improvement identified is the documented roles and responsibilities of the CSO. The CSO is identified in the TB policy as having numerous responsibilities related to BCM oversight and operational activities; however, NRCan has limited internal guidance that define the CSO’s responsibilities and identify how the CSO’s efforts will be coordinated with the rest of the Department.

The PGS states that senior officials in the Department’s security governance must establish or recommend the establishment of written agreements when their department relies on or supports another department or organization to achieve government security objectives. For example, the audit team found that NRCan has not established a written agreement between itself and Shared Services Canada (SSC) based on NRCan’s reliance on SSC to achieve government security objectives related to business continuity management processes. SEMD noted that in place of written agreements NRCan relies on service standards developed by SSC; however, NRCan’s critical function representatives have noted that their IT continuity plans are reliant on SSC support, and that the existing SSC service standards being used in place of agreements are insufficient to achieve the Department’s continuity objectives.

IT Solutions

Overall, the audit team found that while the critical functions examined have designed and implemented IT solutions to support their BCP objectives, there were several opportunities for improvement identified related to IT continuity. These areas include documentation of plans, definitions, and requirements for critical services IT components, identification and regular approval of critical business applications and services, and establishment of written agreements with third-party service providers.

IT continuity mechanisms are identified in the Standard under the role of the Information Technology Security Coordinator (ITSC); however, guidance on the implementation of the BCM program does not include specific requirements or guidelines on IT continuity documentation. Business process owners of critical functions are responsible for ensuring IT continuity of their operations. While the audit team found that the BIA template asks functions to list their critical IT assets, this section is not consistently completed and therefore there is no complete list of critical IT assets. The audit team also found that the Information Technology Disaster Recovery Plan (IT-DRP) created for the CORS site was last updated in 2015; therefore, there is a risk that this plan is out of date given it has not been reviewed based on changes to the Department that have occurred over the past six years.

The audit team noted that NRCan’s critical functions have established infrastructure to ensure continuity of IT operations in the event of a major service disruption to achieve the objectives in their BCP. Three out of five critical functions documented their continuity plans via IT-DRPs, which outlined in detail the supporting IT infrastructure processes for maintaining IT continuity through a service disruption. These plans included a ticketing system to track and prioritize incidents, including concurrently occurring service disruptions. However, the audit team also found that while lessons learned related to IT continuity may originate from planned tests of their systems or from unplanned incidents, there is no formal documentation or tracking of these lessons learned to ensure remediation occurs.

The audit team found the information included in the version of the BIA/BCP template used over the last several years does not provide adequate information to BPOs about what plans and information are required to ensure IT continuity. The newly updated version of the BIA/BCP template, requests BPOs to answer whether they require a DRP, whether the function completing the BIA/BCP has the necessary computers available should telework be the chosen continuity strategy, and whether the function has established processes to continue operations in the event of an IT infrastructure failure. However, no description or explanation of when a function is required to create an IT-DRP is provided. Furthermore, the new version of the template only requires the identification of recovery objectives (i.e. Recovery Time Objective and Recovery Point Objective) for each function as a whole, and does not require specific objectives for each system and/or application that supports it. The lack of specific recovery objectives for each system and/or application, as identified in PS guidance, may affect critical functions’ ability to ensure alignment between their planned IT capacity and the continuity needs of the business function.

SSC provides network, hardware, and software to government departments and is therefore relied on as a service provider by various NRCan functions including NRCan’s critical functions. In January 2021, SSC met with the NRCan to provide an outlook on their IT continuity position and discuss the collaborative next steps to close gaps identified by an IT continuity assessment of NRCan’s IT environment. Furthermore, SSC has a process in place to identify Critical Business Applications and Services (CBAS) to inform incident priority levels as part of their incident management prioritization process. SSC’s CBAS service standards note that having an application or service on the CBAS list with SSC does not by itself grant it 24/7 support but results in higher level of communication, escalations, and service support resource engagement. SSC’s process for requesting an application or service to be added to their CBAS list is through submission of a Microsoft Excel document via email. BPOs of NRCan’s critical functions requesting to be added to SSC’s CBAS list must complete a questionnaire, which is then sent to SSC by CIOSB. The audit found that SSC’s CBAS list of NRCan applications and services is not regularly approved or reviewed, and that there is no one at NRCan responsible for ensuring that NRCan regularly ensures that there is alignment between what NRCan expects is listed as a CBAS by SSC and what is on SSC’s CBAS list. The audit team found that in the past, there have been instances where the understanding between NRCan and SSC regarding what was on SSC’s CBAS list, did not align. The audit team obtained evidence that in June 2021, a departmental critical function’s data centre went offline and SSC was contacted to obtain IT support. SSC did not have the data centre identified as primary on their CBAS list for NRCan resulting in the critical function not receiving the level of support that they expected for an application or service due to a misalignment between what NRCan believed was CBAS and what was on SSC’s list of CBAS for NRCan.

After the completion of the conduct phase, the audit team obtained a draft Major Incident Management Plan (MIMP) in July 2021 which was shared by the CIO/CSO for comments at the Information Management & Technology Committee (IMTC). The primary purpose of this draft plan is to outline a step-by-step process for managing major IT incidents within NRCan to restore normal operations. The audit team found that this plan does provide a thorough guide to manage major IT incidents and includes an updated list of what NRCan would like to be classified as CBAS. The draft plan has been approved by the CIO/CSO; however, this plan has not yet been implemented and it does not provide clarity on the process to ensure that NRCan’s list of what they consider CBAS is approved, complete, accurate, and in alignment with SSC’s CBAS list for NRCan.

Additionally, the audit team found that BCM staff have developed IT Continuity mechanisms that include outlining third party service providers (including SSC) and the types of support they provide, including lists of required networks, applications and hardware. However, there are no agreements in place between NRCan and SSC outlining what each department is responsible for in the event of a service disruption to enable support of, and ensure continuity of, IT applications and services that rely on SSC, even though SSC maintains a website indicating the services they provide. The process to obtain SSC support for IT continuity of applications and services on the CBAS list requires a request to be made from the NRCan IT Helpdesk who are responsible for forwarding the request to SSC. Given that the NRCan service desk is not currently staffed outside of NRCan’s core business hours, CIOSB indicated that critical functions rely on knowing specific contacts at SSC to call if an incident occurs outside of core business hours. The draft MIMP received indicates that NRCan plans to provide 24/7 NRCan Helpdesk support to critical functions; however, this is a draft plan and the audit team did not obtain evidence that this level of support is in place. The draft plan does not identify if the department will procure 24/7 support from SSC for CBAS. As NRCan’s Helpdesk often acts in a coordination role between critical functions and SSC, 24/7 support from NRCan’s Helpdesk may not remediate the issues identified above unless the Department procures matching 24/7 support from SSC. Furthermore, agreements with third-party service providers including SSC would improve the understanding of NRCan’s own responsibilities and expectations, as well as, the effectiveness of the Department to continue its critical operations. The audit team found that there are no adequate plans, processes, and agreements detailing how the Department’s critical functions should interact with some third-party providers in order to receive the levels of support needed for their IT applications and services.

Lessons Learned from the COVID-19 Pandemic #5

IM/IT controls should be in place to support the Department’s chosen BCP strategy At the onset of the pandemic, the Department quickly implemented new IM/IT solutions, such as Microsoft Teams, to enhance remote collaboration. NRCan also used a laptop deployment strategy, prioritizing the assignment of laptops using a tiered structure. The progress of this strategy was communicated to senior management and all high-priority functions had their laptops deployed as of April 22, 2020. However, a recent targeted audit of IM/IT security found that desktop computers at NRCan buildings were removed by employees before they were properly configured to operate outside of NRCan buildings. Similarly, while the Department was agile in its response to the pandemic by moving quickly to a remote work environment, the targeted audit found that the department did not have processes or structures in place to ensure that sensitive and secure documents could be safely stored, or transferred in a remote work environment. Therefore, agility and nimbleness need to be balanced with ensuring adequate focus on IM/IT controls during critical events. It is worth noting that the targeted audit of IM/IT security issued recommendations to address these observations.

Prioritization and Distribution of Resources

The audit team found that the annual BIA process noted above is the key mechanism for NRCan’s prioritization and allocation of centralized services and resources, as well as the key mechanism for the identification of human resources required by a critical function. The audit team found no evidence to demonstrate that the Department’s critical functions have been prioritized based on the expected outcomes that would occur should they be unable to continue their operations in the event of a service disruption.

Senior officials in NRCan’s security governance structure are responsible for identifying the security requirements and the resulting resource needs of programs, services, and activities within their area of responsibility. Critical functions have financial authority assigned for emergency funds in the event that the designated official is not available to ensure that critical operations may continue.

The audit team was not able to obtain evidence of formally defined and documented plans or guidance on the redistribution of IT resources in response to a BCP activation. Despite the lack of formally documented plans and processes, the audit team noted that CIOSB was able to distribute IT hardware and infrastructure support to the critical functions effectively with the aim of allowing them to continue their operations during the COVID-19 pandemic, and that critical functions had plans in place to identify the resources they require.

Lessons Learned from the COVID-19 Pandemic #6

Clear BCM planning and preparedness should form NRCan’s primary response strategy for future activation. NRCan’s organizational agility allowed for adaptation of some HR and communication processes, renovation of buildings to protect employees, and rapid implementation of IM/IT solutions to enable staff to work from home, in a situation where many teams were working with a reduced workforce. However, it was noted that this agility and the quick move to a remote work environment required extraordinary efforts and resulted in an increased workload and a significant stress level for some of NRCan’s employees which may have been reduced through increased preparedness.

Risk and impact

Failing to comply with requirements dictated in TB Policies can result in not having effective management processes in place for BCM.

The Department may be unprepared to meet its objectives in the event of a service disruption in the absence of a departmental-wide BCM plan, written agreements with third parties, effective processes to align IT capacity to meet identified recovery objectives, as well as, identification and communication of priority IT solutions and critical functions.

Recommendations

Recommendation 3: It is recommended that the CSO ensure that:

1. departmental guidance aligns with TB Policy, and is communicated, implemented, and updated on a regular basis and includes plans for redistribution of resources to priority functions;
2. areas of improvement or gaps identified by NRCan’s monitoring, testing and continuous improvement life-cycle components are identified and followed-up on in a timely basis; and
3. a departmental-wide plan to achieve business and IT continuity objectives is designed and that it is adequately implemented, maintained, and updated in a timely manner, to ensure that the Department is prepared to achieve its mandated responsibilities under the Emergency Management Act.

Recommendation 4: It is recommended that the CSO ensure that:

1. departmental guidance provides adequate information to business process owners of critical functions to inform them of their roles, responsibilities, and expectations pertaining to IT continuity; and
2. a process is established to ensure that CIOSB regularly reviews the list of NRCan’s applications included on SSC’s CBAS list to ensure that it is complete and accurate and that this review as well as NRCan’s additions to the list are appropriately approved.

Recommendation 5: It is recommended that ADMs of Sectors with critical functions ensure that agreements are signed with third-party service providers (including departments) with which their critical functions provide or receive support to ensure that roles, responsibilities, and service standards are established based on BIA results (including recovery objectives).

Management Response and Action Plan

Management agrees with Recommendation # 3a.

The CIOSB will review and update the 2018 NRCAN Standard on Business Continuity Planning Program (and other related policy documents, as required, such as the BIA documentation and the terms of reference for the BCP Working Group). CIOSB will ensure that the revised version of these documents aligns with TBS policies and framework.

The revised standard will clearly outline roles, responsibilities and reporting relationships through a clear governance structure.

The revised standard will be approved by NRCAN’s DG-SEMIC and governance, will be communicated to employees and posted on NRCan’s intranet, and will be reviewed every three years.

Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector

Timing: June 30, 2022

Management agrees with Recommendation # 3b.

Business owners of mission critical applications perform yearly tabletop exercise to test their respective DRPs and address any area for improvement. This remains within their respective areas of responsibility and accountability. The MIMP has gone through governance and SSC has agreed with the process. The MIMP will be implemented in Q3 2021-22 and it identifies areas of improvement or gaps after a major incident has been resolved through a critical incident report. A process will be implemented to capture these gaps as well as the gaps identified from the IT Continuity exercise (see 3c below) and the testing/review of the business continuity management process (2c) in an action plan. CIOSB will follow-up on the gaps with the business owners and SSC on a timely basis. The review and implementation of the action plan will also be added to the Departmental Security Policy for common understanding across NRCan.

Position responsible: Chief Information and Security Officer, Chief Information Officer and Security Branch, Corporate Management Services Sector

Timing: March 31, 2022

Management agrees with Recommendation # 3c.

The departmental-wide plan to achieve the business continuity objectives will be updated to align with the IT continuity objectives and the SSC incident management process so that the department can achieve its mandated responsibilities under the Emergency Management Act.

Position responsible: Chief Information and Security Officer, Chief Information Officer and Security Branch, Corporate Management Services Sector

Timing: June 30, 2022

Management agrees with Recommendation #4a.

The MIMP, aligned with the Departmental BCM plan and validated by business owners of critical functions and SSC, has been endorsed by IMTC and is planned to be approved by Operations Committee in September 2021. The MIMP documents the roles, responsibilities, and expectations when a major incident is detected and resolved. Similarly, CIOSB is validating the need for 24/7 IT Continuity Services with business owners of critical systems prior entering and signing the SSC IT Continuity Services agreements which will document the roles, responsibilities and expectations of business owners for IT continuity. CIOSB will provide guidance to business owners on their roles, responsibilities and expectations on IT continuity.

Position responsible: Chief Information and Security Officer, Chief Information Officer and Security Branch, Corporate Management Services Sector

Timing: June 30, 2022

Management agrees with Recommendation #4b

SSC creates and owns the CBAS list. NRCan reviews and approves this list on a yearly basis in an exercise led by SSC Client Executive team. Currently, the CIOSB Business Service Delivery (BSD) liaises with the business owners of critical services in order to review and approves the CBAS list for NRCan. The process will be updated so that the NRCan CIO reviews and approves the CBAS list for NRCan prior to sending it back to SSC. The updated process will be reflected in the Departmental Security Policy.

Position responsible: Chief Information and Security Officer, Chief Information Officer and Security Branch, Corporate Management Services Sector

Timing: March 31, 2022

Management agrees with Recommendation # 5

There is a cost to availing of 24/7 SSC IT Continuity Services and CIOSB is reviewing the need for 24/7 IT continuity services with business owners at NRCan. NRCan will subsequently avail of the level of SSC IT Continuity Services accordingly. This will formalize the IT Continuity plans with SSC and will establish annual IT Continuity testing services of the existing IT Continuity infrastructure. The fallout of this exercise would also position NRCan to meet recommendations 3b, 3c and 4a from the Audit.

ADMs of Sectors with critical services will need to provide funding and ensure that the SSC IT Continuity agreements are signed, through CIOSB, to avail of SSC IT Continuity services. The signed agreements will formalize the SSC IT Continuity support with roles, responsibilities and service standards.

Position responsible: ADM of Sectors with critical services with support from the Chief Information and Security Officer

Timing: September 30, 2022

Appendix A – Audit Criteria

The objective of the audit was to assess the effectiveness of NRCan’s security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The audit also identified lessons learned emerging from the activation of the BCP in March 2020 due to the global pandemic.

The following audit criteria were used to conduct the audit:

Audit Sub-Objectives	Audit Criteria
Sub-Objective 1: To determine whether adequate security governance structures have been established to oversee and coordinate the Department’s Business Continuity Management components at the departmental, sectoral and regional levels.	1.1 It is expected that the Department has established adequate governance structures to provide coordination and oversight of BCM at the departmental, sectoral, and regional levels.
	1.2 It is expected that the Department has developed and implemented an adequate policy suite, including a departmental BCP, in compliance with relevant Treasury Board policies.
	1.3 It is expected that the roles, responsibilities, and accountabilities pertaining to the Department’s BCM activities are clearly defined and communicated, and adequately support the continuation of NRCan’s critical functions.
	1.4 It is expected that the Department has established adequate communication and reporting mechanisms for communicating with, and providing guidance to sectors, to ensure the effective implementation of the BCP.
Sub-Objective 2: To determine whether risk management activities are adequately designed, implemented, and continually updated to enable a continual state of readiness to deliver on NRCan mandate in the event of service disruption.	2.1 It is expected that the Department has established adequate business impact assessment processes, including the identification and documentation of critical functions, internal and external risks, and implementation of mitigation measures to achieve established recovery objectives.
	2.2 It is expected that the Department has established adequate processes to ensure that BCPs address the existing and unmitigated risks for each critical function.
	2.3 It is expected that the Department has established effective processes to ensure adequate testing, monitoring, and corrective actions for the BCM to enable a continual state of readiness to deliver on its mandate in the event of service disruption.
Sub-Objective 3: To determine whether adequate processes have been established to ensure the operating effectiveness of NRCan critical business functions in the event of a BCP activation.	3.1 It is expected that the Department has designed and implemented appropriate IT solutions to support its Business Continuity initiatives.
	3.2 It is expected that the Department has established adequate processes to ensure that departmental resources including human, financial and IT resources are prioritized, and that mechanisms exist to redistribute resources effectively when required by a critical function.
	3.3 It is expected that the Department has established adequate training processes to ensure that personnel tasked with designing and implementing the BCPs have adequate awareness and specialized training (including skills and capacity building) to conduct their duties.
Sub-Objective 4: To determine whether lessons learned emerged from the activation of NRCan’s BCP in March 2020 due to the global pandemic.	4.1 It is expected that the Department has established adequate processes to identify lessons learned as part of the March 2020 BCP activation, and that best practices are documented, implemented, and follow-up activities are conducted.

Appendix B – Acronyms & Abbreviations

ADM

Assistant Deputy Minister

ADMO

Assistant Deputy Minister Office

ADM SEMIC

Assistant Deputy Minister Security Emergency Management Committee

BCM

Business Continuity Management

BCM WG

Business Continuity Management Working Group

BCP

Business Continuity Plan

BEEP

Building Emergency Evacuation Plan

BEF

Business Enabling Function

BIA

Business Impact Analysis

BPO

Business Process Owner

CBAS

Critical Business Applications and Services

CIOSB

Chief Information Officer and Security Branch

CMSS

Corporate Management and Services Sector

CORS

Common Office Recovery Strategy

DAC

Departmental Audit Committee

DEOC

Departmental Emergency Operations Centre

DG

Director General

DG SEMIC

Director General Security Emergency Management Committee

EM

Emergency Management

EMA

Emergency Management Act

GoC

Government of Canada

IMTC

Information Management & Technology Committee

IT

Information Technology

IT-DRP

Information Technology Disaster Recovery Plan

ITSC

Information Technology Security Coordinator

MAD

Maximum Allowable Downtime

MIMP

Major Incident Management Plan

MSL

Minimum Service Level

NCR

National Capital Region

NRCan

Natural Resources Canada

PS

Public Safety

PSD

Policy on Service and Digital

RPO

Recovery Point Objective

RTO

Recovery Time Objective

SBO

Senior Building Officer

SEMD

Security and Emergency Management Division

SOP

Standard Operating Procedure

SSC

Shared Services Canada

TB

Treasury Board

TOR

Terms of Reference