Evidence of meeting #50 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.
A recording is available from Parliament.
5:05 p.m.
Conservative
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Mr. Chair, may I just suggest, given that he's already got that printed out, that he might be willing to leave that with the committee for the consideration of our analyst? He's already read it in.
5:05 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green.
Mr. Khabra, it's all on the public record. I'm sure you have no problem supplying that to the committee.
5:05 p.m.
President, IBISKA
I do have some other notes on that one, but I can send an email to you guys.
5:05 p.m.
Conservative
The Chair Conservative John Brassard
That would be terrific, sir. Thank you.
Is that okay, Matt?
We're going to move on to the next round, which is five minutes. We're going to be starting with Mr. Kurek.
You have five minutes.
5:05 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Chair.
Thank you, Mr. Khabra, for coming before the committee today.
I'm very curious for some more details, so please table that documentation you've referred to.
You've also mentioned a number of meetings and whatnot. I think it would be valuable for the committee to be able to see this to understand some of the scope that's included.
Specifically, if I'm understanding correctly, within the scope of work that your company was contracted to do, was it when the security incidents were brought forward? Is that when your company was brought in? Was it to fix them? You're basically paid when you're asked to do work, so can you provide a little bit of detail as to when your company was asked to do the work?
5:10 p.m.
President, IBISKA
As I said, it is not when the incidents are there. It's when the applications or the systems are developed or when there are any changes to be made. The security aspect has to be there, because otherwise we will not be secure.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Does your company design the security side of that or test it? What exactly is your company's role on the security side of things?
5:10 p.m.
President, IBISKA
As I said, we do consulting services. We provide resources, which have the expertise to do all these things, to the government. They're actually at the customer site. If the customer wanted them to do the testing, they will do the testing. For example, if a vulnerability assessment is done, it may require individuals to actually go and test the system or communication lines. Sometimes people have to do that.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
If you're hired to test for vulnerability and security, do you then provide a report to the government? What's the process that actually...? If the government asks you to come and conduct a service, like a vulnerability assessment, what happens after you've done that assessment?
5:10 p.m.
President, IBISKA
There is always a deliverable. The individuals write the report and everything else.
5:10 p.m.
President, IBISKA
There's the deliverable part of that, and it's delivered to the government.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
It's these deliverables that I'm very curious about, because this is incredibly sensitive information being compiled and brought into this app. We heard some concerns about web-based versus app-based and the use of Apple and Play Store.
I'm curious as to the results of that. When you talk about deliverables, do you provide an assessment? Do you give it an A+ or an F-? What is the end result there?
5:10 p.m.
President, IBISKA
As I'm saying, it's called a security assessment—an assessment is done—and authorization.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Are those assessments like a document that you would then email to your customer, which is CBSA, in this case?
5:10 p.m.
President, IBISKA
We don't email it. It's written. The consultant will actually.... We are not privy to a lot of information. This is a private....
Obviously, when they're developing applications, as a company we are not privy to that. However, individual consultants who work on a particular project or application will provide that document to them.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
At the end of this assessment and this consultation, there would be a document that has something filled out that says that it is secure or it's not secure, or that A could be improved but B was acceptable. I'm trying to understand here. Is that....?
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Your company doesn't maintain those records. CBSA has them.
5:10 p.m.
President, IBISKA
Exactly. Keep in mind that these are secret documents. The companies cannot actually keep it unless they have a document safeguarding facility.
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Is it evaluating work that's been done by CBSA in-house?
5:10 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
That's done, presumably, on site. Would they go to a border station or would they be doing it from their office? How do they know what they're evaluating?
5:10 p.m.
President, IBISKA
I was not aware of where they were doing it. Most likely they will be at a customer site, wherever the customer wanted to work with them.