The Canadian province’s SHC contains questions related to IT infrastructure, security, and management and is designed to cover all aspects of the Information Security Forum’s Standard of Good Practice, the auditor explained.
The province’s Office of the Chief Information Officer (OCIO) is supposed to use information gathered from the SHC system to make decisions on resource allocations to improve information security across the government.
However, according to the auditor general, the British Columbia government “has not fully implemented an effective process to ensure that the SHC information is reliable and appropriately supported. This reduces its effectiveness as a risk monitoring tool for IT security compliance in ministries, for assessing improvements over time, or determining if ministry security targets are being met.”
To address these shortcomings, the auditor general offers the following recommendations to the OCIO: develop more detailed guidance for ministries in gathering support at each scoring level in their annual security review self-assessments; establish an audit process to ensure ministry assessment levels are reasonable and supported with sufficient and appropriate documentation; develop a process that will identify causes of fluctuations in ministry compliance results, and develop specific action plans to deal with those causes; require all ministries to complete a ministry-wide SHC assessment; work with ministries to develop compliance performance targets suited for each ministry; and ensure that all ministries use the same assessment tool for their information security self-assessments.
“In the coming year, we will follow up with the OCIO to assess its progress in addressing our audit recommendations. We will also review how British Columbia’s efforts compare with those of other jurisdictions, and examine the impact of these efforts on IT security nationally”, the auditor general concluded.