Audit of the Canada Revenue Agency - page 3


Table of Contents
Main Points . 3
What we examined. 3
Why this issue is important. 3
What we found. 3
Introduction. 5
About the Canada Revenue Agency. 5
Focus of the audit. 6
Observations and Recommendations. 7
Privacy Management and Accountability . 7
Privacy Accountability needs to be defined. 7
Employees understand their duty to protect taxpayer information. 9
Tools have been developed to assess privacy risks. 9
Privacy Impact Assessments are not always completed before projects are implemented . 10
Information Technology Security and Governance . 12
Responsibility for IT security is clear . 12
Threat and risk assessments are not completed for many systems. 13
Local applications are often implemented without review and approval . 14
Employee Access and Monitoring. 15
Controls over access rights are being strengthened. 16
Generic user IDs are not adequately controlled. 17
Gaps exist in the monitoring of employee access to taxpayer information. 18
Access to taxpayer information by IT developers is inadequately monitored . 19
Privacy Breaches. 20
Mechanisms to investigate privacy breaches are in place. 21
ATIP is not regularly informed when a privacy breach occurs. 21
Serious breaches involving the disclosure of taxpayer information have occurred at the Agency. 22
Conclusion. 23
About the Audit. 24
Appendix A: List of Recommendations . 26
1,2 4,5,6,7,8,9,10,11,12,13,...32
Powered by FlippingBook