| 2005 Audit Recommendations - Status Tracking | |||||||||||||||
| Document 3 | |||||||||||||||
| Audit: Internet Usage and Controls | (EMC Lead: S. Finnamore / Staff Lead: J. Harris-Campbell)[1] | ||||||||||||||
| Audit Recommendation | Management Response | Comments | Budget Implications 2007 or Beyond |
Related Council Motions | Status Update | ||||||||||
| Audit Management Response | Action Required Based on DCM Implementation Plan | Management Timelines (Q1- Q4) | (Risks, issues regarding implementation, etc) | ($$ if known) | |||||||||||
| 1 | That Information Technology Services (IT Services) investigate the tools used to perform blocking by file type to enable this feature regardless of extension. | Management
agrees with recommendations 1, 2 and 3. IT Services is investigating a new feature recently available for the first layer of virus-scanning protection, which permits blocking of file types regardless of the extension used. Testing to ensure there is no negative impact on e-mail delivery services will occur in Q1 2006. IT Services considers that the risk of using the current version of Symantec Antivirus (7.61) is mitigated as three additional layers of anti-virus and malicious file protection also safeguard the City network, and Symantec continues to issue updated virus signature files per the support agreement up to January 31, 2006. It is not uncommon for an organization of the size of the City of Ottawa to delay or skip version upgrades of software products. Upgrades are done either because the new functionality offered is needed by the City and is supported by a business case for the upgrade, or because the product is no longer supported by the vendor. IT Services has evaluated the additional features and business case for each new version as it is released. |
IT Services investigated a new feature for the first layer of virus scanning protection that permits the blocking of file types regardless of the extension used. Testing has been conducted to ensure that there is no negative impact on e-mail delivery. | Q1-06 | None | No | Complete | ||||||||
| 2 | That IT Services deploy the latest Symantec Antivirus version. | Symantec will continue to issue updated virus signature files per the support agreement up to Jan 31, 2006. IT Services plans to have the main Symantec Antivirus infrastructure upgraded by this time. | Q3 - 06 | None | No | Complete | |||||||||
| 3 | That IT Services update the configuration of the Antivirus systems to include anti-virus checking on read from disk and before program execution. | Symantec recommended in late Q3 2005 that the City begin a managed upgrade directly from version 7.61 to version 10. Configuration change QA'd and deployed as part of SAV 10 rollout to servers and workstations. Upgrade of main infrastructure completed by Jan 31, 2006. | Q1-06 | None | No | Complete | |||||||||
| In fact, the
City partnered with Symantec in Q1 2005 to beta-test version 10, as this is
the first version to add features to safeguard against the current threat
from spyware. Following this evaluation, Symantec recommended in late Q3 2005
that the City begin a managed upgrade directly from version 7.61 to Symantec
Antivirus version 10. IT Services initiated the upgrade to Symantec Antivirus 10 in Q4 2005, to be completed by January 31, 2006. This upgrade includes an assessment of the productivity impact of including anti-virus checking on read from disk and before program execution. |
|||||||||||||||
| 4 | That IT Services: a) review the level of awareness of the SPAM e-mailbox and increase visibility if warranted. |
Management agrees with these
recommendations. The spam@ottawa.ca mailbox continues to be part of IT Services’ ongoing security awareness program. Over 1,000 e-mails received by City staff from external sources are submitted monthly to the SPAM mailbox for review. In addition, four City Brief articles were published in 2005 on the topic of SPAM, each including a reminder about the availability of the SPAM mailbox. IT Services will continue to remind staff of the SPAM e-mailbox regularly. |
IT Services will continue to remind staff of the SPAM e-mailbox regularly. | Ongoing | No new action required. Continue to provide reminders to staff as currently provided. | None | No | Complete | |||||||
| b) continue monitoring of the effectiveness of the current SPAM filtering tool. | Upgrades to the
SPAM filtering service are implemented by IT Services when available from the
vendor, to ensure continued effectiveness of the service. As noted in the
report, monitoring of the SPAM filtering service is performed daily, and
reviewed monthly by IT Services. October data from MessageLabs indicated that 65% of all e-mail worldwide was identified as SPAM. Of the 50,000 e-mails received from external sources daily to the City’s 9,000 e-mail users, slightly over 50% is identified as SPAM and immediately rejected. Roughly 0.5% of these e-mails are SPAM that is not identified or rejected, and successfully reaches a City recipient – 250 e-mails per day for the entire City. Users are encouraged to forward SPAM messages to IT Services to assist in increasing the effectiveness of the SPAM filtering service. |
Upgrades to the SPAM filtering service are implemented by IT Services when available from the vendor. Also, monitoring of the SPAM filtering service is performed daily, and reviewed monthly by IT Services. | Ongoing | No new action required. Continue to provide reminders to staff as currently provided. | None | No | Complete | ||||||||
| 5 | That IT
Services: a) tighten the Websense service implementation to reduce possibility of service bypass. |
Management
agrees with this recommendation. In 2005, prior to the audit, IT Services launched an extensive project to enhance the rigour of the Websense implementation, scheduled for completion in Q1 2006. At the time of writing this response (November 2005), an extensive range of additional Websense filtering features is now in place. The audit findings identified one small site (the Don Gamble Community Centre) that allowed City of Ottawa staff unfiltered access to the Internet. This was a subnet routing issue that misidentified these four City staff to Websense as Library staff workstations, which are unfiltered (see below). IT Services has corrected this routing issue. |
Prior to the Audit, IT Services launched an extensive project to enhance the rigour of the Websense implementation. | Q1-06 | Websense upgraded Q4 2005, and included selective protocol blocking, addition of highly restrictive policy sets and improved subnet routing. | None | No | Complete | |||||||
| b) review some level of Library filtering to reduce the risk, such as a limited number of isolated general use systems for unfiltered web access. If this cannot be completed to an appropriate level, then IT Services should consider separating the Ottawa Public Library from the City's system. | Unfiltered
Internet access is provided to Ottawa Public Library (OPL) staff for reasons
of intellectual freedom. This is as a result of a Library Board directive and
therefore is a governance issue with the Library Board and outside the
jurisdiction of the IT Services Branch. Since 2001, a considerable amount of effort from IT Services has been directed to manage the risk of this configuration. For example, Library workstations are on separate network segments that make it easy to isolate viruses, worms and spyware in the event of a malicious code outbreak. On the advice of IT Services staff, Library Management agreed, in October 2005, to allow IT Services to protect their workstations from Internet-borne malicious code. The workstations used by Library staff do not allow staff to visit malicious websites, however they remain completely unfiltered for all other website content. |
Given that the Library is governed by the Library Board, it may not be possible to influence the board to allow unlimited access. If filtering cannot be done at a reasonable level, IT Services agrees that the OPL have a separate system. This would be a large undertaking that would involve significant costs. A budget pressure will be identified in the 2007 budget. | Q1-06 | Library Board approved new restricted XP desktop image in June 2005, which controls access to instant messaging programs. Library Board further supported the recommendation to begin filtering Internet malicious traffic on October 6th, 2005. Websense Security premium group implemented. XP desktop controls implemented. IT Services considers the risk to the City network sufficiently mitigated, and does not plan to pursue separation of networks. | None. | No | Complete | ||||||||
| 6 | That IT
Services: a) deploy the latest Symantec Antivirus version. |
Management
agrees with this recommendation. IT Services considers that the risk of using the current version of Symantec Antivirus (7.61) is mitigated as three additional layers of anti-virus and malicious file protection also safeguard the City network, and Symantec continues to issue updated virus signature files per the support agreement up to January 31, 2006. It is not uncommon for an organization of the size of the City of Ottawa to delay or skip version upgrades of software products. Upgrades are done either because the new functionality offered is needed by the City and is supported by a business case for the upgrade, or because the product is no longer supported by the vendor. IT Services has evaluated the additional features and business case for each new version as it is released. In fact, the City partnered with Symantec in Q1 2005 to beta-test version 10, as this is the first version to add features to safeguard against the current threat from spyware. Following this evaluation, Symantec recommended in late Q3 2005 that the City begin a managed upgrade directly from version 7.61 to Symantec Antivirus version 10. |
See recommendation #2. | None | No | Completed as per recommendation #2 | |||||||||
| b) update the configuration of the Anti-Virus systems includes anti-virus checking before file read and before program execution. | See recommendation #3. | None | No | Completed as per recommendation #3 | |||||||||||
| IT Services initiated the upgrade to Symantec Antivirus 10 in Q4 2005, to be completed by January 31, 2006. This upgrade includes an assessment of the productivity impact of including anti-virus checking on read from disk and before program execution. | |||||||||||||||
| 7 | That
IT Services: a) review logging and monitoring processes and systems for effective operational system health and policy enforcement monitoring. |
Management
does not completely agree with these recommendations. Industry best practices do not support full logging on all devices at all times due to the high cost. IT Services implements additional logging and alerting on a selective basis, such as with certain high-risk devices or where there is a concern with a particular device. As part of the Enterprise Security Review project initiated in Q1 2005, IT Services has contracted a third party security company to perform a detailed review of logging and monitoring processes and systems, including an assessment of the cost impact of these recommendations. The review will be completed in Q1 2006. If additional logging is required, a budget pressure will be identified in the 2007 budget. IT Services has implemented alerting for device failure on all servers and network devices. IT Services has updated all firewalls to receive a synchronized time from NRC. |
Will commission a detailed review by an external security company of logging and monitoring processes and systems, including an assessment of the cost impact of these recommendations. | Q1-06 | IT Services commissioned Allstream to undertake a study on this issue and provide recommendations. | None | No | Complete | |||||||
| 7 | b) identify log events that require "real time" detection and alerting and implement appropriate processes. | IT Services does not support full logging devices at all times due to high costs. IT Services implements additional logging & alerting on a selective basis. | Q1-06 | Addressed in Allstream report. | None | No | May 31/07
Procurement process underway. In progress. Procurement of Network Management System (planned 2007) will enable implementation of logging, based on Allstream recommendations. |
||||||||
| 7 | c) review all security devices to ensure appropriate logging coverage. | IT Services has contracted a third party to perform a detailed review. IT Services has implemented alerting for device failure. | Q1-06 | Addressed in Allstream report. | None | No | Complete (included in 7a) | ||||||||
| 7 | d) ensure all device clocks are centrally synchronized for effective event correlations. | IT Services has updated all firewalls to receive a synchronized time from the NRC. | Completed | Implemented October 2005. | None | No | Complete | ||||||||
| 7 | e) review regulatory and City policy requirements for an appropriate logging data retention period. | Changes will be completed following a detailed review of logging and monitoring systems. | Q3 2006 | Addressed in Allstream report. | None | No | Complete (included in 7a) | ||||||||
| 7 | f) consider feeding log and monitoring data into a Security Information Management (SIM) tool for automated event analysis and correlation, to better provide a near real-time City security posture. | A review of regulatory and City policy requirements for logging
data will be completed in Q2 2006, following the detailed review of logging
and monitoring processes and systems in Q1 2006. Log data will be retained in
accordance with the City’s Records Management Policy and By-Law. The need for additional logging and Security Information Management (SIM) tool will be assessed in Q2 2006 and if required a budget pressure will be identified in the 2007 budget. Additional logging is estimated to cost between $75,000-$150,000. To purchase and implement a SIM is $150,000, with ongoing operating costs in excess of $200,000 per year. Ongoing FTE (or equivalent) requirements are unknown at this time. |
The need for additional logging and SIM tool will be assessed. | Q4 2006 | Assessed following delivery of the Allstream logging report. Where additional logging was recommended by Allstream, planned Network Management System, plus additional network intrusion monitoring, logging and alerting and outbound firewall controls will be implemented. | No | Based on
discussions with the CAWG on March 6, 2007 and subsequent discussions with
the Auditor General, ITS has initiated a modified workplan for 2007/08 that
achieves the intent of this recommendation within existing approved budgets. The workplan involves a phased
implementation that includes system logging on selected devices;
investigation and deployment of intrusion detection/protection devices and
services, and implementation of a network management system (see 7b) above). May 31, 2007: no activity pending procurement noted in 7(b). |
||||||||
| 7 | g) ensure all devices are logging operational health and security events as a minimum. | Agree. Expect this to come from the Allstream report. | Q3-06 | Allstream recommendations implemented. | None | No | Complete | ||||||||
| 7 | h) enable system logging on all devices. | Disagree with recommendation. Industry best practices do not support full logging on all devices at all times due to the high cost. | Allstream recommendations confirmed logging of all devices would not be cost efficient or provide adequate return on investment. | None | No | As a result of
discussions at the March 6 meeting of CAWG and subsequent discussions with
the Auditor General, the following work plan was deemed acceptable.To be
completed in 2007: Q3-Q4: Procure a system-logging server to act as the repository for log data. Q4: Adjust levels of logging on network devices and begin feeding log data to the system-logging server. To be completed in 2008: Q1-Q2: Evaluate and procure available log auditing and analyis tools. Both in-house and outsourced solutions will be evaluated. Q2-Q3: Develop formal log analysis and auditing procedures. Q4: Implement formal log analysis and auditing procedures. May 31, 2007: no activity pending procurement noted in 7(b). |
|||||||||
| 8 | That IT Services: a) implement a more robust Change Management process/system within Corporate Services. |
Management agrees with these recommendations. The current Change Management process in place since 2001 was enhanced in Q4 2005 to encompass all IT Services divisions and the requirement to comply with the City’s Records Management Policy. The Chief Information Officer reminded all IT Services Managers and Program Managers in November 2005, of the requirement to adhere to this Change Management process. This includes the requirement to document results achieved and record these centrally using the City’s Records Management framework. |
Agree. Change Management process was updated in Q4 2005 to encompass all division requirements and to comply with the City's Record Management Policy. | Q4 - 05 | In 2006, IT will continue to enhance and improve the change management process, adopting IT Infrastructure Library (ITIL) change management process, which is more robust and reflective of industry best practices. | None. Any additional changes will be completed within the existing budget envelope. | No | Complete | |||||||
| b) enforce the formal Change Management process for all changes to the firewalls and other security systems. | The CIO reminded all IT Services managers & Program Managers to adhere to the change management process. | Q4 - 05 | As above. | None | No | Complete | |||||||||
| 9 | That IT Services ensure the policy prohibit the installation of software not officially sanctioned. | Management
agrees with this recommendation. Section 6.4 of the revised Responsible Computing Policy, approved by City Management in September 2005, states: “Users shall not install or download software, shareware, freeware or any other application program onto City-owned IT assets without the express written permission of ITS.” |
Section 6.4 of the revised Responsible Computing Policy states that users shall not download software, shareware, freeware or an other application onto City owned computers without permission. | Implemented new Responsible Computing Policy in September 2005. | None | No | Complete | ||||||||
| 10 | That IT Services ensure the policy prohibit the use of non-City approved computing resources for processing City data and assets. | Management
does not completely agree with this recommendation. This recommendation applies to the following two situations: · Use of non-City hardware by staff and/or consultants on the City network (e.g., laptops). Processing City data and assets using non-City hardware (e.g., home computers). IT Services concurs with the recommendation with respect to the use of non-City hardware on the City network (e.g., laptops). In section 6.3 of the revised Responsible Computing Policy, approved by City Management in September 2005, the Policy states: “Non-City hardware shall not be connected to the Corporate network without the express written consent of the ITS Branch.” |
Management does not agree with this recommendation. Such restrictions would prohibit the use of web-mail from home computers. However, the Responsible Computing Policy does stress employee obligations to safeguard electronic information whether being processed at a City facility or not. | To further formalize the existing approval process for non-City devices, IT Security has drafted a procedure for assessing and safely utilizing non-city assets on the City network with the approval of IT Security. No further action required. | None | No | Complete March 2007 - Responsible Computing Policy updated to reflect prohibition of non-City assets connecting to network and requirement to protect City information assets when accessed via web-mail. |
||||||||
| · IT Services does not agree with this recommendation with respect to processing City data and assets using non-City hardware (e.g., home computers). Such a restriction would prohibit the use of web-mail from a home computer, or working from home on a Word document or Excel spreadsheet. The Responsible Computing Policy clearly defines employee obligations to safeguard electronic and information records in their custody, whether being processed at a City facility or not. The City’s Defence-in-Depth Strategy mitigates the risk to the corporation from malicious software brought from a non-City computing environment. | |||||||||||||||
| 11 | That IT Services review the retention periods for e-mail (including deleted e-mail) and compare to use of this data as corporate records and industry best practices. | Management
agrees with this recommendation. The retention period for e-mail was reviewed against federal, provincial, and municipal legislation prior to approval of the Records Retention and Disposition By-law approved by Council and the Records Management Policy in 2003. Automated retention rules for e-mail were implemented as a part of an upgrade to the Exchange Server product in September 2005, to ensure compliance with this by-law and policy. |
Retention periods for e-mail were reviewed against federal, provincial and municipal legislation prior to approval of the Records Retention & Disposition By-Law. Automated retention rules were implemented as part of an upgrade in Sept 2005 to ensure compliance with the by-law and policy. | Automated retention rules for e-mail were implemented as a part of an upgrade to the Exchange Server product in September 2005, to ensure compliance with this by-law and policy. No further action required. | None | No | Complete | ||||||||
| 12 | That IT Services review the users with administrator rights on their workstations, and where not justified and required, remove the administrator privileges for that user. | Management
agrees with this recommendation. A rigorous documented formal process is followed whenever any user requires local administrative rights. As part of the Enterprise Security Review project, a review will be conducted regarding administrative access rights for IT Services with recommendations provided to the IT Services Management team in Q1 2006. This review will be repeated on an annual basis. More restrictive administrative rights for laptop users are being implemented as part of the life cycle laptop replacement program. At this point, funding is available to replace roughly 100 units of the total fleet of 900. Roughly 50% of the current fleet of City laptops are now running a version of the operating system that offers administrative rights control. IT Services plans to implement these administrative rights restrictions by the end of Q1 2006. The remaining 50% of the City laptop fleet needs to be replaced. |
A review will be conducted with recommendations provided to the IT Services Management team. The review will be repeated on a semi-annual basis. More restrictive rights are being implemented for laptop users as part of the laptop replacement program. | Q4-2006 | Process
to be developed with TI and IT Security to review existing individual
administration privilege requirements.
To fully comply with this
recommendation, all non-XP laptops would have to be replaced with current
operating systems with the administrative granularity capable of
removing/limiting administrator privileges. Total cost $700,000 to accelerate
laptop replacement program over 12 months.
This is not recommended due to cost, but will be implemented through
normal upgrade program. New XP laptop build has more restricted rights. AD GPOs are being rolled out to centralize technical management of enhanced workstation rights. Non-XP laptops are being replaced through normal lifecycle program. |
None | No | Complete | |||||||
| Funding of
$700,000 and one (1) additional FTE (or equivalent) will be required in order
to accelerate this replacement program to be completed over twelve (12)
months. A budget pressure will be identified for the 2007 budget to
accelerate this replacement program to be completed over twelve (12)
months. |
|||||||||||||||
| 13 | That IT Services: a) review organization roles and responsibilities with accompanying agreements, such as Service Level Agreements (SLAs). |
Management
disagrees with these recommendations. IT Services has reviewed existing organizational roles and responsibilities, and believes that these roles and responsibilities are clearly delineated and effective. Separation of duties and other organizational control mechanisms are fully implemented and maintained across the entire branch. |
IT Services has reviewed existing roles and responsibilities and believes they are clearly defined and effective. | No further action required. | None | No | Sept 2007 - Complete |
||||||||
| b) clearly define roles/responsibilities and define processes to ensure control implementation and monitoring is covered. | Organizational control mechanisms are already fully implemented and maintained across the entire branch. | No further action required. | None | No | Sept 2007 - Complete |
||||||||||
| 14 | That IT Services develop an Encryption Policy to address key aspects of encryption related to the City's operations and requirements. | Management
agrees with this recommendation. Encryption technologies are currently used to safeguard specific systems, but these de facto standards are not presently in one reference document. Existing encryption standards will be collected and documented by Q2 2006. |
Existing encryption standards will be collected and documented and incorporated into the IT Security procedures and standards. | Q4 2006 | None currently anticipated. Will be determined after existing procedures and standards are reviewed. | No | Encryption
standards are under development and will be included in the IT security
procedures and standards (revised completion date Q1 2007). May 31, 2007: Standards underdevelopment as part of a larger IM/IT Security Standards project. Expected completion is Q4 2007. |
||||||||
| 15 | That IT Services identify tools for encryption of sensitive e-mail content. | Management
disagrees with this recommendation. The revised Responsible Computing Policy, section 7.1, as approved by City management in September 2005 stipulates that sensitive information is not to be transmitted via the corporate e-mail system. An enterprise wide e-mail encryption solution would be for internal use only and would not necessarily be compatible with external partners, as there is no national or international standard for e-mail encryption. Should an enterprise-wide e-mail encryption solution be required, it is estimated to cost $100,000 and require 2 FTEs (or equivalent) to administer. A budget pressure would be identified for the 2007 budget. |
Management disagrees with this recommendation. The revised Computing Policy stipulates that sensitive information should not be transmitted via e-mail. An enterprise wide e-mail encryption solution would be for internal use only and would not be compatible with external partners. | Should this be required, it is estimated that it will cost $100,000 and require 2 FTEs to administer. | None | No | March 13, 2007 -
The ITS Branch is evaluating a secure file exchange service that can be used
with City business partners to exchange sensitive documents. It is
anticipated that this service will be available in Q4 2007-Q1 2008. May 31, 2007: service evaluation underway. |
||||||||
| 16 | That IT Services implement strong encryption on the link between DC2 and the library lab network that uses the Internet for communication. | Management
agrees with this recommendation. IT Security will investigate the use of this link and the safeguards currently in place in Q4 2005. |
IT Security will investigate the use of this link and the safeguards in place. | Q4 - 05 | None | No | Complete | ||||||||
| 17 | That IT
Services: a) create a program with annual user IT Security policy review with mandatory quarterly/semi-annually IT Security awareness briefings. |
Management agrees with these
recommendations. A formal IT Security Awareness program already exists. Awareness articles are issued through City Briefs on a monthly basis, Management Bulletins are also issued as necessary, and IT Security awareness briefings occur to address strategic issues or groups. Awareness activities have been part of the annual planning cycle since 2003. Flash e-mail awareness campaigns will continue. A third party review to measure and assess the current awareness targets and associated delivery strategy was scheduled to begin October 2005 as part of the Corporate IT Security Awareness Program. This review was deferred to 2006 due to a City-wide budget freeze, and will include specific recommendations and a workplan identifying the priority messaging targets. |
Will be addressed through the Corporate IT Security Awareness program. Conducting an environmental scan to evaluate awareness. | Q4 - 06 | None | No | Environmental
scan completed. Implemented mandatory internet "tip of the week" on
user login to the internet. Further enhancements to the IT security awareness
program will be implemented as part of the revised IT security strategy in
2007. May 31, 2007: IT Security intranet web page and content under development. |
||||||||
| b) continue the Security flash e-mail awareness campaign notifying users of significant e-mail attacks. | Will be addressed through Corporate IT Security Awareness program. | Q4-06 | None | No | As above. | ||||||||||
| c) improve the effectiveness of the IT Security awareness campaign. | A third party will review the effectiveness of the awareness campaigns. | Q4-06 | None | No | As above. | ||||||||||
| 18 | That IT
Services: a) monitor and control the use of the Internet and e-mail usage by City employees. |
Management
agrees with these recommendations. IT Services uses Websense to monitor and control the use of the Internet at a macro or system level. Prior to the audit, IT Services launched an extensive project to enhance the rigour of the Websense implementation, scheduled for completion in Q1 2006. An extensive range of additional Websense filtering features is now in place that enhances the monitoring of Internet usage and blocking of websites that are not consistent with the Code of Conduct and Responsible Computing Policy. Monthly reviews of Websense reports by IT Services will continue, and changes to categories, website blocking, and follow-up investigations will continue. |
An extensive range of Websense filtering features is now in place. Monthly reviews of Websense reports by IT Services will continue, change categories, website blocking, and follow-up investigations. An analysis of a minimum of 50 user accounts will be conducted on a semi-annual basis. | Q1-06 | This will be done as part of the twice-yearly Internet Policy Compliance Assessment process. See recommendation 18c below. | None | No | Two (2) compliance audits conducted in 2006 using existing resources and deferral of other activities (anti-spam and internet filtering improvements and upgrades). | |||||||
| b) develop appropriate recording tools that provide reliable reporting of e-mail usage. | In 2006 IT Services will enhance Internet monitoring using existing Websense reporting tools. A detailed analysis of a minimum of 50 Internet accounts will be conducted on a semi-annual basis for compliance with the Responsible Computing Policy. Instances of non-compliance will be investigated in conjunction with managers and the Labour Relations unit within Employee Services Branch. It is projected that this level of review and follow-up will generate the equivalent of 1.5 FTEs (2,700 hours) of staff effort to implement. | IT Services will investigate additional tools and reporting capabilities that would enable the monitoring of e-mail. | Q1-06 | Allstream engaged to conduct e-mail assessment. | No | Complete Allstream has provided a detailed analysis which concludes that no tools are available to meet these requirements. |
|||||||||
| c) develop and implement a process to provide managers with reports of their staff's Internet and e-mail usage so that management can evaluate if appropriate usage of e-mail and Internet is occurring. | IT Services/Labour Relations will be contacting the respective managers of the 50 random and 50 top users generated throughout the audit. IT Services in consultation with Labour Relations will provide the Internet log report along with guidelines on how to interpret the data set and how to approach employees with any concerns that might be presented on their Internet usage. | IT Services will continue to produce management reports & metrics. Evidence of non-compliance will be investigated in conjunction with managers. IT Services, with assistance from LR, will provide guidelines to managers on how to interpret data and how to approach employees. | Q2-06 | Two Internet usage audits will be performed annually. Once a year, a review of the Top 50 Internet users will be performed. Once a year, a review of a random 50 Internet users will be performed. At present, there is no intent to assess e-mail usage. The review performed by Allstream (see 18b above) determined that there is no automated tool to perform this assessment in a cost-effective manner. | None | No | Complete | ||||||||
| d) revise the Responsible Computing Policy to limit use of the Internet to mainly business purposes and limit personal usage to incidental or occasional only. | IT Services
will continue to produce management reports and metrics using Promodag, and
will investigate additional monitoring tools and reporting capabilities that
would enable monitoring of individual e-mail accounts. Evidence of
non-compliance with the Responsible Computing Policy will be investigated in conjunction with managers and Labour Relations. At this time, the additional effort to review and follow-up is not known pending identification and selection of new tools. A budget pressure would be identified for 2007 to acquire and implement additional monitoring and reporting tools. |
The Responsible Computing Policy will be reviewed to ensure that it applies equally to both Internet usage and e-mail usage, and reflects current practice. | Q3-05 | Implementation of new Responsible Computing Policy on May 4, 2006. New RCP reflects these clarifications. Responsible Use of the Internet Policy is no longer a separate policy but now incorporated in the revised RCP. | No | No | Complete | ||||||||
| The revised Responsible Computing Policy clearly states that the Internet and e-mail are provided for “legitimate business use in the course of assigned duties and only incidentally for personal use”, and that disciplinary action, including dismissal, are consequences of non-compliance. The Responsible Computing Policy will be reviewed to ensure that it applies equally to both Internet usage and e-mail usage, and reflects our current practices. | |||||||||||||||