Public Accounts Committee on March 30th, 2023

I think we are experiencing things that are very similar to what other organizations do at this stage of our maturity. We are less than 10% in the cloud. I think we are adopting what are standard best practices, and I think we are learning unfortunately a lot of the same lessons that organizations learn, which is.... One of the key findings of the Auditor General's report was that we have great standards and guardrails in place, but the application of them was inconsistent, which is why the automation is so very important.

Not that I'm aware of, but I might ask my colleague, who has been around the table a little longer, if there was an international benchmark done. There is not one that I'm aware of.

What I know about that—and maybe our colleagues from the Centre for Cyber Security will have views—is that we often compare our practice here in Canada to the standards of the Americans on cybersecurity. We do comparisons, but again, I'm not sure we have a report that will do a broader scan.

I would like to add as well that in terms of our assessment of the CSPs, the cloud service providers, we do look at international standards such as ISO FedRAMP in the United States, as well as SOC 2 Type 2 reports, which are required in terms of the assessment process. We make sure that we're very harmonized with the international standards and the U.S. in that space.

In terms of the roles and responsibilities, we were concerned that unclarity led to questions about who was on first, who was going to be dealing with issues when there was an event. We did also identify that the monitoring and oversight could be improved both by Shared Services and by PSPC.

I won't get into the details of some of the information that we weren't able to include in the report, but what we identified was that for the guardrails for the security requirements that are in place, they should be implemented in their entirety, and ongoing monitoring should be happening as well.

In my view, this is a role for the Treasury Board Secretariat to provide guidance and policy.

Just to make a point of clarification, it's 10% of systems, not data. It's a little different.

No, no, that's okay, but it's important that nuance.

I think we can continue course and speed. We have actually quite aggressively moved on the Auditor General's findings already, as I outlined in some of my remarks, and we will continue to tighten things as we move along.

There is always, as part of putting a new system into production, i.e., into the cloud, a released production activity list you go through to make sure that things have been met. We'll be disciplined in making sure that for cloud migrations, we pay very close attention to that, to ensure that we're managing that risk.

We looked at three departments. We weren't looking across the entire government. Because it's not a representative sample or anything, our results can't be extrapolated across the government, but the areas we identified in our report related to three departments.

We didn't look into that degree of specificity. We were looking at the testing of their plans and the implementation of their plans.

On an ongoing basis, we're assessing the threats to cloud service providers. We're providing threat assessments on those. We're providing advice and guidance for cloud service providers, including for the government and Canadians, in terms of how to secure your cloud systems. On an ongoing basis we're seeing how the threat landscape is changing in accordance with technologies and we're making sure that our advice and guidance and information are up to par.

For the government we're also deploying cyber-defence services to make sure the technologies we deploy for the government are actually taking into account the new threat factors we're seeing from both classified and unclassified sources, and we're making sure that those technologies are implemented on our servers.