Evidence of meeting #54 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.
A recording is available from Parliament.
9:10 a.m.
President, Shared Services Canada
Mr. Chairman, I would ask Raj Thuppal to take on that question and to focus on the enterprise data centre capabilities and the part that's set aside for Statistics Canada.
9:10 a.m.
Assistant Deputy Minister, Cyber and IT Security, Shared Services Canada
Thank you, Ron.
With regard to the privacy concerns for the data, we do work very closely with the customer organizations to identify the data security needs, and we employ security measures commensurate with the classification of data or the privacy impact assessments of the data. For example, for the census project that we did with Statistics Canada, we did employ additional security measures to ensure that none of the SSC employees, even though they might have access to the infrastructure, could actually see the data that is in the infrastructure. We used some special techniques and some processes when we worked with Statistics Canada.
We do take measures, when we are working with the departments, to ensure that privacy is well protected and that people who don't need access to the data won't see the data.
9:15 a.m.
Liberal
The Chair Liberal Dan Ruimy
We're going to move to Mr. Longfield.
Mr. Longfield, you have seven minutes.
9:15 a.m.
Liberal
Lloyd Longfield Liberal Guelph, ON
Thanks, Mr. Chair. I'll be sharing my time with Mr. Sheehan.
Thanks to all the witnesses for coming here. I am really interested in seeing how we're looking for efficiencies by sharing IT infrastructure, but I'm also interested in the service agreements that you have in place. During the chief statistician's appearance on March 23, we talked about the formal agreement between your organizations. Could you comment on what it covers, how the priorities are decided, and what your agreed upon service levels are?
You mentioned customer service, but are there other measure you have put in place to track success?
9:15 a.m.
Graham Barr Acting Senior Assistant Deputy Minister, Strategy, Shared Services Canada
Thank you.
I will just reiterate from the start that Statistics Canada is completely in control of its census and survey programs as well as its statistical methods. Our role at Shared Services Canada is to provide the IT platform to ensure the delivery of Statistics Canada's important programs, and to do that in a secure way.
We have 24 different services in our service catalogue at Shared Services Canada, and we have established service level expectations for each one of those services so that our customer departments know what level of service to expect from us. We've been working, as the president said, since about October with the chief statistician on a plan to reduce the risk in the IT infrastructure that is supporting Statistics Canada. It's a two-phase plan. The first phase was to address immediate areas of concern, and we're wrapping up that phase, and, as the chief statistician noted at this committee back a couple of weeks ago, he is satisfied that the level of risk has been substantially reduced.
The longer-term plan, as my colleagues alluded to, is to transfer Statistics Canada data holdings out of their old data centre and into the new one, but at every stage of this project, Statistics Canada retains ultimate control over the classification of its data and where that data is stored.
9:15 a.m.
Liberal
Lloyd Longfield Liberal Guelph, ON
So they are really driving the priorities and communicating those to you, and you're saying whether those are possible.
9:15 a.m.
Acting Senior Assistant Deputy Minister, Strategy, Shared Services Canada
Absolutely. That's the basis of our governance, not just with Statistics Canada but with all our customer departments. We respond to their business requirements, which are determined solely by them.
9:15 a.m.
Acting Senior Assistant Deputy Minister, Strategy, Shared Services Canada
No, it's not.
9:15 a.m.
Liberal
Terry Sheehan Liberal Sault Ste. Marie, ON
Thank you very much.
Thank you for the presentation. It was very informative.
About 20 years ago my business did business with the first commerce-enabled website in northern Ontario, and the data was housed in Winnipeg. I remember at that particular time, just 20 years ago, that it was a challenge getting people to make transactions on the Internet. We used the approach, “When you use your credit card on the Internet, it's much safer than going to a restaurant where you're giving your credit card to an individual, who gives it to someone else, who gives it to someone else. You've been exposed so many times.”
Fast-forward to today, and I'll use my father as an example. He makes all transactions on the Internet. People trust it. There are so many transactions going on, from his banking, to purchases, to planning his trips. The reason I say that is some of the models that have been put in place are quite amazing.
Instead of doing individualistic modelling, in which people are working in silos within governments, why is this better? The chief statistician mentioned in one of the presentations a model similar to what's happening now. Shared Services is responsible for cybersecurity, and in particular the prevention—because prevention is really important in this—of cyber-attacks. Could you comment on prevention and how you would deal with anything that slipped through the cracks?
9:15 a.m.
President, Shared Services Canada
In terms of the model overall, given the scarcity of really skilled resources in the cyber and IT security fields, it's important that we have a critical mass of people with this expertise in the government of Canada. That would be my starting point. Also, that's at the heart of being able to provide the protection and prevention services.
I'm going to ask Mr. Thuppal to elaborate again on the prevention side.
9:20 a.m.
Assistant Deputy Minister, Cyber and IT Security, Shared Services Canada
On the prevention side we have many controls that form the overall preventative system. For example, we have security technology in place to block certain types of attacks and certain types of emails from going through. We also conduct a number of assessments on the infrastructure to ensure that it is hardened, that it has all of the preventative mechanisms in place, and closes vulnerabilities. Also, we do supply-chain integrity checks. We have processes in place for that. There are quite an elaborate number of preventative tasks that we do, including identity management and ensuring access controls.
When things do slip, we have very good detection capabilities. As Ron mentioned, we have the security operations centre monitoring 24-7. As soon as we detect a breach, we act swiftly, respond to it, and then recover from the breaches. We have a holistic approach to security, working very closely with our security partners, and also the customers.
9:20 a.m.
President, Shared Services Canada
I would just like to add that one really key benefit from pulling everyone together on one common network has been the perspective that you can have across the whole system, the great visibility that you have of what's coming in from the Internet and what's going out to the Internet. That is also supported by the Communications Security Establishment, with the application of tools that previously could not have been in place to help provide security to the government of Canada's network.
9:20 a.m.
Liberal
Terry Sheehan Liberal Sault Ste. Marie, ON
I have a very quick question. Throughout this process, is Shared Services able to see any of Statistics Canada's data?
9:20 a.m.
President, Shared Services Canada
In the legacy data centre, Shared Services Canada staff have taken an oath of secrecy and are secret cleared. In the way that this network has been established, they can see the data. As Mr. Thuppal said, in terms of the census, however, Shared Services Canada employees cannot see that data. One of the questions or design issues as we go ahead with Statistics Canada in looking at the new data centre and its security requirements is to what extent you would want to apply that same standard for statistically sensitive information.
9:20 a.m.
Liberal
9:20 a.m.
Conservative
Ben Lobb Conservative Huron—Bruce, ON
Thanks very much.
Mr. Parker, you said that the rating from your customer feedback went from 2.79 to 3.06. What range or scale is that on? Is that out of 10?
9:20 a.m.
President, Shared Services Canada
Mr. Chair, it's on a scale of five, and across 43 different partners, moving the results on that index is not an easy thing to do.
9:20 a.m.
Conservative
Ben Lobb Conservative Huron—Bruce, ON
Right. Of all the 43 that you provide services to, what department has the biggest spike in traffic bandwidth? Would it be Stats Canada?
9:20 a.m.
President, Shared Services Canada
Mr. Chair, on a point of clarification, do you mean a spike in traffic or an improvement in the rating, or...?
