Targeted Audit of Cloud Computing and Storage

Presented to the Departmental Audit Committee (DAC)

October 11, 2022

In 2022, the Targeted Internal Audit of Cloud Computing and Storage was conducted to assess the adequacy and effectiveness of NRCan’s governance, risk management and controls that are in place to oversee and manage cloud solutions.

The Department is taking action to address the targeted audit recommendations.

Pursuant to Section 16 (2) (c) of the Access to Information Act, some of the content of the audit report has been redacted.

NRCan has thoroughly weighed the public interest for disclosure against the need to ensure the security of departmental assets and national interests in making its decision.

Table of Contents

• Executive Summary
  • Strengths
  • Areas for Improvement
  • Internal Audit Conclusion and Opinion
  • Statement of Conformance
• Introduction
  • Targeted Audit Purpose and Objectives
  • Targeted Audit Considerations
  • Scope
  • Criteria
• Findings and Recommendations
  • Appendix A – Targeted Audit Criteria

Executive Summary

As part of the Government of Canada’s (GC’s) strategic IT objectives, the transition to cloud-based infrastructure has been identified as a priority. The GC has outlined policy guidance related to cloud transformations within the Treasury Board of Canada Secretariat’s (TBS) Policy and Directive on Service and Digital (the Policy and the Directive). The Policy and the Directive took effect on April 1, 2020, and serve as an integrated set of rules that articulate how GC organizations manage service delivery, information and data, information technology, and cyber security in the digital era.

Within NRCan, the Chief Information Officer and Security Branch (CIOSB) is responsible for overseeing the intake of cloud projects, overseeing the Security Assessment and Authorization (SA&A) process, provisioning access, providing Statement of Sensitivity (SOS) certification, providing additional cloud computing capabilities and providing developer support to sectors for cloud services. The Directive on Service and Digital notes that departmental Chief Information Officers (CIOs) are responsible for developing, implementing, and sustaining departmental strategies for producing or using enterprise IT services and solutions and for ensuring that cloud services are compliant with appropriate federal privacy and security legislation, policies, and standards. Prior to the commencement of the targeted audit, CIOSB noted that they are aware of this requirement and while there is not currently a strategy/policy in place, they are working to complete a cloud policy for the Department.

As the adoption of these Cloud technologies will become even more prominent in the upcoming years, this widespread change will create more business opportunities and risks for the Department.^{Footnote 1} As such, to maximize cloud solution effectiveness while minimizing risk, it is expected that a cloud strategy with corresponding policies and procedures are documented, communicated, and operationalized across the Department, in alignment with the TB Directives and Policies.^{Footnote 2}

The following report provides key findings and recommendations on Cloud Computing and Storage related risks identified during the course of this targeted audit. Given the “Cloud First” GC policy, the remediation of the findings identified in this audit are important given the increasing number of applications and IT solutions that are migrating to or being built in cloud environments, thereby increasing the Department’s risk exposure.

Strengths

Overall, the targeted audit found that the Department has applied various governance mechanisms to the inventory of cloud applications, which includes features such as order management, location tracking, supplier communications, automated requests, and cost optimization. The Department conducted some risk management procedures and due diligence processes to cloud deployments. CIOSB are adapting processes to include instances of cloud deployment and several sectors within the Department have a high level of expertise within cloud, as some sectors have been working with cloud for over seven years.

Areas for Improvement

[REDACTED]

Internal Audit Conclusion and Opinion

In my opinion, the Department has implemented select oversight and risk management processes to enable the deployment of cloud services; however, a number of improvements are required to further define and communicate roles and responsibilities related to the [REDACTED] to ensure they are effective.

Statement of Conformance

In my professional judgement as Chief Audit and Evaluation Executive, the audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CIA
Chief Audit and Evaluation Executive
October 11, 2022

Acknowledgements

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

Introduction

As part of the Government of Canada’s (GC’s) strategic objectives, the transition to cloud-based infrastructure has been identified as a priority. The GC has outlined policy guidance related to cloud transformations within the Treasury Board of Canada Secretariat’s (TBS) Policy and Directive on Service and Digital (the Policy and the Directive). The Policy and the Directive took effect on April 1, 2020, and serve as an integrated set of rules that articulate how GC organizations manage service delivery, information and data, information technology, and cyber security in the digital era.

There are three main types of cloud computing service, including Infrastructure as a Service in which cloud service providers (CSPs) sell the use of essential computing, storage and networking services which are hosted on the CSPs hardware. A client may build whatever type of environment they require on the infrastructure. Cloud providers also offer Platforms as a Service where they provide hardware and software tools allowing clients to build, deploy, run, and manage a computing platform with one or more applications. Lastly, Software as a Service is a software licensing delivery model in which the software owner is responsible for the computing and storage hardware required to run the application and clients access the application and their data through a web-based application.

Procurement of cloud services by federal departments is typically completed using the GC Cloud services procurement vehicle framework, which aims to leverage various methods of supply to meet the cloud requirement needs of the Government of Canada. The framework seeks to simplify and increase transparency and fairness of the procurement process and increase competition and access to the latest cloud solutions. Federal departments are jointly supported by PSPC and SSC with regards to procurement of cloud services using the procurement vehicle framework.^{Footnote 3}

Within the GC, governance for the federal Enterprise Architecture occurs through the GC Enterprise Architecture Review Board (GC EARB), which oversees the implementation of the Enterprise Architecture direction for the GC. As defined in the Directive on Service and Digital, each Department is responsible for establishing their own Departmental Architecture Review Board (DARB) which oversees and assesses the alignment of cloud solutions to Departmental and Federal cloud strategies. NRCan has established a DARB with some responsibilities such as assessing the governance and alignment of cloud solutions to the overall cloud strategy of the Department.

Within NRCan, the Chief Information Officer and Security Branch (CIOSB) is responsible for overseeing the intake of cloud projects, overseeing the Security Assessment and Authorization (SA&A) process, provisioning access, providing Statement of Sensitivity (SOS) certification, providing additional cloud computing capabilities and providing developer support to sectors for cloud services. The Directive on Service and Digital notes that departmental Chief Information Officers (CIOs) are responsible for developing, implementing, and sustaining departmental strategies for producing or using enterprise IT services and solutions and for ensuring that cloud services are compliant with appropriate federal privacy and security legislation, policies, and standards. Prior to the commencement of the targeted audit, CIOSB noted that they are aware of this requirement and while there is not currently a policy in place, they are working to complete a cloud policy for the Department.

Based on the GC priorities and “Cloud First” policy, the Department has modernized legacy IT infrastructure, implemented cloud-based applications, and incorporated cloud functionalities into existing Departmental programs. As the adoption of these Cloud technologies will become even more prominent in the upcoming years, this widespread change will create more business opportunities and risks for the Department. ^{Footnote 4} As such, to maximize cloud solution effectiveness while minimizing risk, it is expected that a cloud strategy with corresponding policies and procedures are documented, communicated, and operationalized across the Department, in alignment with the TB Directives and Policies.^{Footnote 5}

A targeted audit on cloud computing and storage was included in the 2021-2026 Integrated Audit and Evaluation Plan approved by the Deputy Minister on May 26, 2021.

Targeted Audit Purpose and Objectives

The objective of the audit was to assess the adequacy and effectiveness of NRCan’s governance, risk management and controls that are in place to oversee and manage cloud solutions.

Specifically, the targeted audit has assessed whether the Department has:

• Effective governance and risk management activities in place for the complete inventory of cloud computing services to enable the organization to fully achieve business objectives.
• Adequate mechanisms for vendor financial and performance management to ensure reliable service performance, availability, data integrity, and security.

Targeted Audit Considerations

A targeted audit is expected to provide reasonable assurance against defined criteria, following professional internal auditing standards and assurance standards. Relative to a typical internal audit, its scope is narrower and more focused.

A risk-based approach was used in establishing the objectives, scope, and approach for this targeted audit engagement. A summary of the key underlying potential risks that could affect the effective management of cloud computing and storage at NRCan include whether:

• Processes and procedures are in place to govern activities related to the inventory of cloud applications and oversee the risk management activities (including HR planning) to allow the organization to achieve its business objectives; and,
• Costs and performance of vendors are tracked and monitored to ensure that an organization is receiving reliable service performance, availability, data integrity, and security.

Scope

The scope of the audit was focused on whether the policies, processes, and controls surrounding cloud-computing and storage solutions were designed, implemented as of June 30, 2022. This targeted audit has examined governance, and risk management practices and their alignment with NRCan’s cloud strategy, along with examining the IT controls in place to protect and manage the assets in the cloud.

The audit team interviewed each sector within NRCan to gain an understanding of their current and planned uses of cloud service providers and selected a sample for audit fieldwork based on these interviews and on an assessment of risks performed during the planning phase.

The targeted audit team reviewed the work completed during recent IM/IT-related internal audits to avoid duplication of effort.

Criteria

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

Findings and Recommendations

Finding Area	Key Findings	Recommendation and Management Response
[REDACTED]	[REDACTED]	Recommendation 1 [REDACTED] Management Response Management agrees. We need proper cloud oversight and monitoring function at NRCan to ensure effective and consistent processes and controls across the department. Setting up these processes and controls will need consultation across NRCan and alignment with other audit recommendations and ongoing work on improvement of IT Security posture. The implementation of the activities to address the recommendation will require additional resources. In response to Recommendation #1, The Chief Information & Security Branch (CIOSB) will develop a Request for Proposal (RFP) to acquire professional services to create the detailed action plan for implementation of the recommendation. The action plan will derive the prioritization of the activities with resource requirements and funding implications. Position responsible: ADM, Corporate Management and Services Sector (CMSS) Timing: RFP & Contract Award: Q1, 2023 – 24 Detailed action plan with prioritization of activities, resourcing level and funding requirements: Q3, 2023-24
[REDACTED]	[REDACTED]	Recommendation #2 [REDACTED] Management Response Management agrees. In response to Recommendation #2, CIOSB has been gathering information from other departments to baseline [REDACTED] from a risk management perspective. The [REDACTED] is being adjusted on a continuous basis. In alignment with the action plan that will be developed (see Recommendation #1), a third-party reviewer will be engaged to review the [REDACTED] and provide recommendations for further improvement. Position responsible: ADM, Corporate Management and Services Sector (CMSS) Timing: Q3, 2023-24
The Department does not have effective processes for human resource planning related to cloud technical expertise	Finding The targeted audit found that several sectors within the Department have a high level of expertise within cloud, as some sectors have been working with cloud for over seven years. Despite this, the targeted audit was unable to identify defined and implemented processes for human resource planning related to cloud technical expertise. It was noted that there were no defined and formalized mechanisms for capturing and tracking technical human resource requirements or capacity (e.g., number of cloud resources needed, the types of resources most frequently requested by sectors when requesting technical expertise). Furthermore, the targeted audit identified an increasing need for personnel with technical cloud skillsets. The skills required to work with Cloud Service Providers (CSPs) are highly specialized, requiring specific training or professional certifications. Business owners who use cloud services were interviewed and it was noted that the Department used a large variety of CSPs as sectors have few to no limitations with the vendors they may choose to use. Given that the Department is using multiple CSPs such as AWS, Azure, Salesforce and Google, there is a need for an improved HR strategy in order to enhance identification and recruitment processes to attract and retain human resources with the skills that the Department needs most. There was no observed strategic planning to address this resourcing need across the regular HR process. Additionally, through conducted interviews with CIOSB and sector leads, it was noted that the existing resource planning processes occur ad hoc, rather than following a strategic human resourcing plan. Risk and Impact: Audit Risk assessed as MODERATE Without defined human resourcing plans, the Department may have inadequate knowledge of its current capacity, and HR needs to meet the human resource requirements to hire, retain and succession plan for the ongoing support and delivery of cloud solutions across the Department. The complexity, security profile and technical performance of cloud deployments vary by vendor. Moreover, human resources typically take highly specialized professional certification courses to become proficient to work with specific Cloud Service Providers and the talent pool becomes smaller when searching for IT staff who can work in multiple CSPs. Furthermore, cloud expertise is in high demand and is very costly. As such, the Department may experience operational risk, challenges, and higher overhead costs related to managing various environment security configurations and vendor end-user controls. Additionally, having various vendors within the Department leads to requiring vendor-specific skillsets, architectures, and software, which will create a higher cost to hire specialized resources by vendor or require the use of external consultants.	Recommendation #3 It is recommended that the ADM, CMSS, in collaboration with Sector ADMs implement processes to identify human resource requirements, current staffing levels for technical cloud expertise and to develop and execute a HR strategy to attract, hire, and retain human resources in this area. Management Response In response to Recommendation #3, CIOSB will be developing a talent roadmap for hard-to-find skillsets, such as cloud expertise, as part of its digital strategy. Position responsible: ADM, Corporate Management and Services Sector (CMSS) Timing: Q4, 2023-24

Finding Area	Key Findings	Recommendation and Management Response
The Department lacks policies, processes and tools for managing Vendor technical and financial performance as well as reviewing and taking action to mitigate identified vendor risks	Finding [REDACTED]	Recommendation #4 It is recommended that the ADM, CMSS, in collaboration with Sector ADMs implement a vendor management process with defined roles and responsibilities for tracking vendor performance as well as remediating any noted issues. Additionally, to provide reasonable assurance whether or not the vendor is continuously performing in alignment with relevant GC policies and directives, the vendor management process should include requirements for collecting and reviewing financial and technical reporting requirements (e.g., SOC reports). Management Response Management agrees. The department should have the assurance that its cloud providers have adequate and effective controls on a continuous basis for security, availability, processing integrity, confidentiality, and privacy. Business owners understand their costs of operations better against the benefits of their service delivery to Canadians. Each program is different. Business owners are in a better position to track and monitor costs for their respective vendors. In response to Recommendation #4, CIOSB will engage central agencies for guidance on how NRCan should acquire the assurance of vendor controls effectiveness on a continuous basis to comply with GC policies and directives. Further to this guidance, a policy clarifying the roles and responsibilities with respect to continuous monitoring of vendor performance will be put into place for business owners to comply. In view that the implementation of this policy will fall under the implementation of recommendation #1, the timing for completion of this action is linked to recommendation #1. Position responsible: ADM, Corporate Management and Services Sector (CMSS) Timing: Q4, 2022-23

Appendix A – Targeted Audit Criteria

The sub-objectives for the targeted audit were developed based on key risks identified by NRCan’s personnel who were consulted in the Planning Phase; cloud transformation and migration risks were identified through review of relevant associated policies and procedures (e.g., Policy on Service and Digital), industry thought leadership organizations (e.g., ISACA), and private sector businesses. The criteria have guided the fieldwork and will form the basis for the overall audit conclusion.

The objective of the audit was to assess the adequacy and effectiveness of NRCan’s governance, risk management and controls that are in place to oversee and manage cloud solutions.

The following audit criteria were used to conduct the targeted audit:

Audit Sub-Objectives	Audit Criteria
Sub-Objective 1: To determine whether the Department has effective governance and risk management activities in place for the complete inventory of cloud computing services to enable the organization to fully achieve business objectives.	1.1 It is expected that there are oversight activities for the complete inventory of cloud computing services within the Department and its sectors.
	1.2 It is expected that the Department consistently performs adequate due diligence activities throughout the cloud solution lifecycle including assessing the appropriateness of the cyber security controls in the cloud environment, performing Security Assessment and Authorization (SA&A) and Privacy Impact Assessments (PIA).
	1.3 It is expected that the Department has designed effective human resource planning processes to identify cloud-specific technical expertise and available capacity needed.
	1.4 It is expected that the Department has configured cloud identity and access management.
	1.5 It is expected that the Department has documented and communicated Cloud risk management processes in alignment with applicable TB and Departmental directives, policies, and guidelines (e.g., policy suite related to Service and Digital).
Sub-Objective 2: To determine whether the Department has adequate mechanisms for vendor financial and performance management to ensure reliable service performance, availability, data integrity and security.	2.1 It is expected that the Department has established vendor management processes to capture, track and monitor vendor costs.
	2.2 It is expected that the Department has documented and communicated performance thresholds and reporting requirements (e.g., SOC reports).
	2.3 It is expected that there is a process to review and take action to mitigate risks identified in the vendor’s cloud environment and adequately maintains processes and controls cloud users should have in place according to the cloud service provider.