Internal Audit Report - Audit of Information Technology Business Transformation - SIMSI Migration Project

June 24, 2014

Table of Contents

1 EXECUTIVE SUMMARY

Introduction

Infrastructure Canada (INFC) was established in 2002 and is responsible for facilitating the provision of funding for world-class, modern public infrastructure for the benefit of Canadians. Since the Department's inception the focus of the Information Management and Information Technology (IMIT) group has been on defining business requirements for new applications, contracting, and managing vendor relations in support of service delivery.

INFC relies on the Shared Information Management System for Infrastructure (SIMSI) to facilitate the execution and delivery of various federal contributions and transfer payment programs. This information management system has been designed, built, hosted, and maintained by a third-party contractor over a 12 year period.

As a result of the creation of Shared Services Canada's (SSC) in November 2011, INFC was mandated to transfer SIMSI hosting services from the third-party contractor to an SSC datacentre. INFC is in the process of managing this notionally estimated $2 million migration project.

Initial activities in support of the hosting services migration began in early 2012 and were integrated under a more formal SIMSI Migration Project in 2013. This Information Technology Business Transformation project is sponsored by the Department's IMIT Directorate.

Audit Objectives and Scope

The audit objective was to assess the adequacy of the management controls in place to ensure the effective and efficient migration of the hosting of SIMSI from the third-party contractor to Shared Services Canada.

The audit scope included key Systems-Under-Development (SUD) elements including: systems planning; analysis; architecture and evaluation / selection based on a high-level assessment of governance; business / solution design; and, project risk areas.

Conclusion

Overall, INFC has put in place governance processes and procedures to support the overall management of the SIMSI migration project. The project has been integrated into INFC's Departmental governance framework. Although delayed, most elements expected of a project management control framework have been put in place. Technical and system requirements are progressively being developed and incorporated into system implementation plans. SIMSI migration timelines have been delayed due to internal and external factors and project management anticipates that the migration will be completed by October 2014. Areas identified for improvement included:

  • Re-assessing resource competencies and internal resource capacity to reduce the risk of gaps at migration.
  • Ensuring that future projects of this size and complexity have business cases developed in accordance with INFC's Policy for IT-Enabled Projects.
  • Identifying and defining security requirements based on system criticality and sensitivity and ensuring appropriate controls are established and formally communicated to SSC prior to the SIMSI migration.
  • Validating the results and reliability of the threat and risk assessment to be performed by the third-party contractor on the SIMSI system in advance of the migration.
  • Developing and finalizing business, functional and system requirements for SIMSI Migration, ensuring the architecture and planned controls link to the defined requirements.

Management is in agreement with the audit findings and recommendations. Management has developed action plans to address the recommendations which have been included in the report.

2 BACKGROUND

Infrastructure Canada (INFC) was established in 2002 and is responsible for facilitating the provision of funding for world-class, modern public infrastructure for the benefit of Canada and Canadians. One of the ways that INFC achieves this is by making investments under both contribution programs and transfer payment programs. Since the Department's inception the focus of the Information Management and Information Technology (IMIT) group has been on defining business requirements for new applications, contracting, and managing vendor relations in support of service delivery. INFC relies on the Shared Information Management System for Infrastructure (SIMSI) to facilitate the execution and delivery of various federal contributions and transfer payment programs.

SIMSI facilitates applications for contribution funding by designated users in support of infrastructure projects across Canada. It enables applicants to apply on-line for project funding, monitor project statuses and provide claim information throughout the lifecycle of an individual project. It allows INFC to assess funding applications, apply due diligence, and track and report on project approvals, financial commitments, and expenditures.

SIMSI was originally intended to be used for one fund and has been readapted and rebuilt several times over the last 12 years to serve new contribution programs. Since 2010 SIMSI's capacity has been strengthened to be able to respond quickly to new infrastructure programs. It is now composed of a number of subsystem software applications that are used to manage infrastructure programs, related financial planning, program reporting, and geomatics information. The system has been designed, built, hosted, and maintained by a third-party contractor since its inception.

In August of 2011, Shared Services Canada (SSC) was created by the Government of Canada through an Order in Council with a mandate to centrally deliver email, datacentre, and network and telecom services to 43 Government of Canada organizations, including Infrastructure Canada. SSC's datacentre consolidation plan is to reduce the number of datacentres supporting government systems from 485 to seven by the year 2020.

In the spring of 2012, INFC initiated discussions with SSC to plan for the migration of SIMSI from the third-party contractor facility to a SSC owned and managed datacentre facility. The initial scope of the migration project encompassed the entire SIMSI solution, which included the Data Warehouses, Business Intelligence (BI) reporting, and Geomatics features.

While individual SIMSI migration activities and projects had taken place since early 2012, it was not until the fall of 2013 that INFC established the formal SIMSI migration project. Over time INFC reduced the scope of the migration to the systems that reflected current and forecasted business needs, taking into account closing contribution programs and SSC constraints. In addition, INFC has a parallel renewal project underway of the SIMSI sub-system for managing major infrastructure programs. The parallel project included development activities and planned technical upgrades being implemented for existing systems that will be completed as part of the SIMSI migration project.

Original SIMSI Migration project timelines and expected completion dates were scheduled for a phased transition in the fall of 2013. These timelines had been established to help ensure that the system would be ready to deliver any new programs and initiatives set out in the Government of Canada's Economic Action Plan.

3 AUDIT OBJECTIVES

The audit objective was to assess the adequacy of the management controls in place to ensure the effective and efficient migration of the hosting of the Shared Information Management System for Infrastructure (SIMSI) from a third-party contractor to Shared Services Canada.

The audit scope included key Systems-Under-Development (SUD) elements including: systems planning; analysis; architecture and evaluation / selection based on a high-level assessment of governance; business / solution design; and, project risk areas.

The period covered by the audit was from the spring of 2012, when INFC had initiated planning activities for the migration, to March 2014. The scope of the audit did not include an assessment of the SIMSI technical implementation as this is not yet complete.

4 AUDIT APPROACH

The conduct of the audit was approved in the Risk-Based Audit Plan 2013-16. The approach and methodology used conforms to generally accepted practices, processes, procedures and standards of internal audit in the Government of Canada, and conforms to the Treasury Board Secretariat Policy on Internal Audit and the Institute of Internal Auditors Standards for Internal Auditing. Audit criteria were sourced from the Treasury Board of Canada Secretariat, the Office of the Comptroller General of Canada, ISACA (previously known as the Information Systems Audit and Control Association) and other best practice sources such as the Control Objectives for Information and Related Technology (CobiT) framework.

The audit work was conducted in three phases - planning, examination, and reporting - with deliverables prepared at key points. The planning phase included interviews, a high level modeling review, risk assessment and general documentation reviews (i.e. business plans, governance structure, organization charts) to gain an understanding of the audit entity and its environment. This knowledge formed the basis for determining the areas for detailed review in the examination phase.

The examination phase included interviews and file reviews / tests to identify and assess the significance of the issues and findings. Preliminary audit findings were communicated to the auditee for the validation of facts to confirm the clarity, accuracy, and completeness of the information reported.

This report consolidates the findings and presents management's responses and action plans to address the recommendations.

5 AUDIT FINDINGS

5.1 Governance

It was expected that INFC's SIMSI migration project management team / personnel would have provided adequate governance to ensure that the migration project was adequately defined and approved by senior management and the business and technical resources were assigned. In addition, it was expected that governance procedures would have been in place and designed to keep management informed of migration progress.

Governance

Conclusion:

INFC has put in place governance processes and procedures to support the overall management of the SIMSI migration project. The project has been integrated into the INFC departmental governance framework. Although delayed, most elements expected of a project management control framework have been put in place.

INFC is working with its implementation partners

INFC has an approved project charter for the SIMSI Migration Project which includes a joint governance component with SSC. SSC also developed its own project framework which includes a Business Case, Project Charter and Project Management Plan.

INFC staff has encouraged a high degree of SSC participation throughout the project. To this end, INFC and SSC established joint Director General and Director level committees. Bilateral meetings are held between the INFC's Information Technology (IT) Operations Director and SSC Build Team Directors. In addition, separate project reporting mechanisms exist between INFC and the third-party contractor that currently hosts and maintains SIMSI. Furthermore, the INFC Chief Information Officer is a member of the Government of Canada Chief Information Officer Council.

SIMSI governance is integrated into INFCs departmental governance framework

The Departmental Management Committee (DMC) provides top-level direction, leadership and oversight within INFC. The Investment Planning Committee (IPC) is a subset of the DMC that helps to develop and guide the Department's Investment Plan and provide oversight of major investment projects such as the SIMSI Migration. The SIMSI Steering Committee (SC) reports to the DMC through the IPC and supports the Department's objective of having an effective governance and accountability structure in place to oversee SIMSI activities. The SIMSI Steering Committee consists of Director General level executives who provide advice and guidance, make recommendations, and endorse IMIT recommendations.

Single point of accountability

Responsibility for the SIMSI Migration Project was assigned to a single accountable executive who was responsible for establishing a disciplined governance, project leadership and project management approach. This single point of accountability is outlined in the SIMSI Project Charter.

Most elements of a project management control framework have been put in place

Although delayed, most elements expected of a project management control framework have been put in place with some areas for improvement. For example, some project roles and responsibilities could have been better defined. The Project Manager was not fully utilized in that role and the Project Management Office functioned more as an administrative secretariat than a Project Management Office. Finally, project milestones continue to be mostly determined by external party (e.g. the third-party contractor and SSC) capacities.

Overall INFC's SIMSI Migration project governance framework helped to formalize activities previously being performed as functional initiatives by IMIT. As a result project activities are identified and coordinated, and issues are monitored and reported to senior management.

5.2 Internal Capacity

It was expected that the INFC governance framework would ensure that a detailed internal capacity assessment would have identified critical capacity (quantity and skill sets) requirements for the planning, implementation and post-migration phases of the project.

Internal Capacity Requirements

Conclusion:

While the IMIT staff that work on the SIMSI migration project are dedicated to performing their roles and responsibilities, there is a need for INFC to define its resource competencies and general requirements for the post-migration period. Areas identified for improvement included:

  • Re-assessing resource competencies and internal resource capacity to reduce the risk of gaps at migration.

The role of the INFC IMIT Directorate is evolving

At present, a third-party contractor is responsible for the development, delivery and maintenance of the SIMSI system, including hosting of the application. This has been referred to as a "turnkey" solution, which means that the third-party contractor has proprietary control of the application and operates it on behalf of INFC. Thus, the third-party contractor is contractually responsible for almost all of SIMSI's technical operations and system support, operating under the direction of INFC technical and business leads.

INFC has only required a minimal level of technical expertise and has operated with limited internal capacity in IMIT. As such, the Department has used professional services contracts to fill organizational IMIT needs as required. These issues were outlined in our 2011 Internal Audit of Information Technology Contracts. For the SIMSI project, a significant part of IMIT's role has been to liaise between SSC and the third-party contractor. In May 2013 the IMIT Directorate highlighted to senior management significant, internal human resource shortages, pointing to "vulnerabilities in the areas of IT security, geomatics, web services, applications development, and business and client services".

In order to begin addressing internal capacity issues to ensure seamless operation and support of SIMSI during and post-migration, INFC has followed a three-track course:

  1. Augment internal capacity, acknowledging Treasury Board Secretariat's direction that turnkey service be migrated to SSC and not re-bid.
  2. Develop a Master Readiness Plan, detailing the knowledge transfer that will have to take place from the third-party contractor to INFC identified resources over the course of the transition. INFC is contracting with the current third-party contractor as they have proprietary access to the various resources currently doing the day to day work.
  3. Execute the knowledge transfer activities that are planned throughout the migration. The Master Readiness plan will document the knowledge transfer for incorporation into the SIMSI implementation schedule.

Upon completion of the migration project, SSC will be responsible for the operation and management of SIMSI's infrastructure while INFC will assume the responsibility for middleware, databases, application development and maintenance, which was historically outsourced to the third-party contractor.

The migration of the system is a complex undertaking

SIMSI migration involves the transition of the third-party contractor-built SIMSI application to SSC's Government Operations datacentre infrastructure. As such, this migration project is notably complex as it deviates from typical development and migration projects the Federal Government usually executes in that it requires coordination between three independent entities with varying capabilities and roles and responsibilities.

As the migration is already underway, INFC has the challenging responsibility to identify and acquire development, maintenance and support services to ensure that the application continues to operate in a stable and predictable manner on SSC's platform as required. This is a complex task as INFC does not have exclusive privileged access to the SIMSI system and INFC has minimal technical expertise and experience in its day-to-day operations. INFC's approach has been to provide project direction and task SSC staff and third-party contractor staff to develop a migration plan and architect the overall solution.

Management now anticipates that the SIMSI migration project will be completed by October 2014 in a one-round migration effort. Management, understanding the project's complexity and risks, have established contingency plans to extend the use of the third-party contractor site and operate for an additional five months should the need arise.

Identification of key resources and skills

A resourcing gap analysis report conducted by the third-party contractor provided some indication of the skill requirements for the department. These included INFC gaps in application coding, source code maintenance, application design and maintenance, with corresponding skills sets that need to be addressed. The document noted that significant knowledge transfer / job shadowing over a period of months is required to successfully transfer data warehousing functions / services to the responsible service provider roles(s) at INFC / SSC by cutover date.

It was also identified that some of the required skillsets and roles essential to ensuring a seamless and successful migration had not been identified or filled at an early enough stage of the project. Key skill sets and roles that were either identified late in the process or that were not considered as part of the migration include: Enterprise Architect; Database Analyst; and, IT Security Manager. For instance, an Enterprise Architect or similar role is critical to engage key stakeholders early in the process in order to define requirements in the planning phase and guide solution design and architecture.

As a result, INFC may not have had the appropriate resources in place to effectively plan for and implement the migration. In addition, the Department has not yet fully assessed internal IMIT capacity requirements, which could potentially compromise the required operational support and capacity upon completion of the SIMSI migration.

Recommendation 1. INFC Senior Management should re-assess resource competencies and internal resource capacity to reduce the risk of gaps at migration.

Management Response to Recommendation 1: Management accepts this recommendation. Two actions will be taken: IMIT will complete a staffing plan to ensure that organizational resource capacity and competencies exist to support the SIMSI systems during the post-migration phase; and, IMIT will complete an Independent Project Health Check, which will include a review of the staffing plan and readiness.

5.3 Project Management

It was expected that INFC had established a project management approach that was commensurate with the size, complexity and related Government of Canada and Departmental policy requirements of the project. In addition, it was expected that project management controls provided adequate oversight of the project (financial, meeting deadlines, etc.), appropriate involvement by the stakeholders, iterative evaluation of risks, monitoring of issues, and escalation of issues where required.

Project Management

Conclusion:

While a Project Charter and Project Management Plan had been developed for the SIMSI migration project, management decided not to prepare a business case at the onset of the project. Key considerations in this decision were the fact that the transition to SSC was mandatory and that SSC had prepared a business case for their aspects of the migration project.

Areas identified for improvement included:

  • Ensuring that future projects of this size and complexity have business cases developed in accordance with INFC's Policy for IT-Enabled Projects.

Most standard project management practices for large projects were followed

The INFC IMIT Directorate has, for the most part, followed standard project management principles and practices related to large projects. The SIMSI Migration Project was notionally budgeted at $2.0 million ($1.5 million in 2013-14 and $0.5 million in 2014-15) and included in the Departmental Investment Plan 2013-14. The Project Charter and a Project Management Plan were completed in the fall of 2013. These key project management documents were completed almost one year after activities related to the migration began.

SIMSI migration activities began in 2012 and formalized into a project in 2013

INFC initiated the migration of SIMSI as a priority in early 2012 in order to take advantage of the newly mandated hosting opportunities at SSC. Documents reviewed by the audit indicated the following project activities and timelines:

  • Activities to generate the SIMSI migration plan – March 2012 (de facto "project" commencement)
  • Business Requirements Document (BRD) – September 2012
  • 2013-14 Investment Plan signed off by Deputy Minister – August 2013
  • SIMSI Project Charter – October 2013
  • SIMSI Project Management Plan – December 2013
  • Target date for One Round Migration – September 2, 2014
  • End of third-party contractor contract – October 2014 (with extensions to March 2015 possible)

The SIMSI Migration Project started with a series of IMIT functional initiatives and led to the development of a business requirements document, which was approved in September 2012. In early 2013 project activities that had been ongoing since early 2012 were formalized as part of a project governance framework. The formalization of project roles enabled focused discussions and deliberations with SSC related to scope and scheduled for the eventual migration.

The project charter and the project management plan established in the fall of 2013 outlined key roles and responsibilities and established a high-level strategy for achieving a successful migration of the SIMSI system.

The development of the project management framework and appropriate governance mechanisms allowed INFC to describe its migration requirements, outline a transition schedule, determine key contacts for migration activities and seek collaboration with SSC for successful project outcomes.

INFC's experience in initial functional activities to transition SIMSI from a third-party contractor solution to the SSC platform between early 2012 and late 2013 facilitated the negotiations around project scope and milestones. High level expectations for communications for the project were defined in the Project Management Plan and communications were documented.

Senior management decided not to prepare a business case for the project

As indicated in INFC's IMIT Business Sign-off Policy for IT-Enabled Projects, projects greater than $1 million must have a full project charter and business case. A business case would generally capture "the results of benefit-cost and options analyses and a description of each option considered." However, senior management decided not to prepare a business case for this project. This was attributed to an assumption that a Departmental business case analysis was not required since it was a mandated transition to SSC through the Order in Council. Moreover, since SSC had developed a business case for their components of the project, INFC did not deem the development of an internal business case to be necessary.

However, by not having a formal INFC business case for the SIMSI Migration Project, there was limited documentation indicating whether decisions and options were effectively analyzed. While the transition to SSC was mandatory; the timing of transition, the scope of migration and costing options were not evaluated in a formal business case. Additionally, key performance indicators, which could have acted as markers to assess project success and benefits realization were not documented.

While some of the risks associated with not having a business case have been addressed through other means such as briefings to the Departmental Investment Planning Committee, these alternatives cannot replace the sum of the information usually presented in a business case at the onset of a project.

Recommendation 2. INFC senior management should ensure that future projects of this size and complexity have business cases developed in accordance with INFC's Policy for IT-Enabled Projects.

Management Response to Recommendation 2: Management accepts this recommendation. Business cases have been developed for all IM / IT projects in accordance with the INFC policy with the exception of the SIMSI migration project. The current suite of Departmental IM / IT policies will be reviewed and updated to address project risks for decision-making as well as business case requirements for all types of projects, including mandatory projects initiated in relation to Government of Canada priorities.

5.4 Security Requirements

It was expected that security, operational and functional control requirements would have been established during the planning phase of the SIMSI project as part of the high-level system design or requirements definition.

Security Requirements

Conclusion:

Security controls related to SIMSI as part of the Migration Project are being addressed at a later than normal stage in such a project. Areas identified for improvement included:

  • Identifying and defining security requirements based on system criticality and sensitivity and ensuring appropriate controls are established and formally communicated to SSC prior to the SIMSI migration.
  • Validating the results and reliability of the threat and risk assessment to be performed by the third-party contractor on the SIMSI system in advance of the migration.

The responsibilities for some IT security functions are changing

INFC's manager of IT Security, who reports to the Chief Information Officer, is responsible for selecting, implementing, and evaluating IT related security controls for all IT systems, including SIMSI. Within this responsibility framework, INFC has historically delegated the selection, evaluation and testing of security controls to the third-party contractor as part of its service agreements.

As a result of the Order in Council transferring the control and supervision of email, datacentre and network services to SSC, the manner in which security is designed and managed within a shared federal IT environment has changed. It is expected that the responsibility and accountability for security will be shared between independent departments and the Security Operations Centre of SSC in its mature state. Accountability for the security and integrity of SIMSI will remain with INFC, while the responsibility to provide a portion of security controls will exist with SSC under INFCs agreement and understanding.

IT security requirements are being addressed late in the project

As noted above and in section 5.5 of this report, business and functional requirements have not yet been fully developed in the area of security and privacy.

Although several components of the new hosting environment are presently being built, key assessment activities and their outputs considered essential in guiding the identification and selection of required IT security controls prior to system development and implementation have yet to be completed. These include an updated Statement of Sensitivity and a Logical Threat and Risk Assessment.

To address this situation at a critical stage of the migration, and to help define security measures for SIMSI at SSC, INFC contracted with the current third-party contractor in February 2014 to generate the Logical Threat and Risk Assessment and the Statement of Sensitivity on the planned SIMSI architecture and related sub-systems. These key deliverables (scheduled to be completed in the summer 2014) and other planned deliverables such as a Concept of Operations, will be essential in informing security requirements for the system in its new environment and will also form the basis of INFCs greater SIMSI Certification and Accreditation plan. The practice of Certification and Accreditation of an information system such as SIMSI is considered a key risk management practice for IT systems used in the Government of Canada and, once complete will demonstrate a baseline security compliance of SIMSI within an SSC hosted environment.

Key security deliverables not being commissioned at an early or appropriate stage of the project, coupled with the relative lateness in engaging INFC security personnel within the project, have resulted in INFC not identifying and communicating all security requirements for the planned migration in a timely manner. Consequently, there is a risk that INFC may operate SIMSI with less than ideal security controls, and be unable to gain reasonable assurance that architected and implemented security controls are appropriate for the system or meet INFC security requirements.

As stated above, in order to retroactively address gaps in defined security requirements, the current third-party contractor has been tasked to perform the threat and risk assessment on key areas of SIMSI's new hosting environment. However, in doing so, the current third-party contractor is assessing parts of its own solution design and implementation work. This presents a potential conflict of interest, which could impact on the third-party contractor's ability to fully report on related security threats and risks resulting in elevated exposures and / or weak IT security controls for SIMSI migration in its new environment. The potential impact is that INFC senior management may be challenged in demonstrating reasonable assurance that reported risks are credible, and may make key SIMSI security related decisions based on unreliable analysis of the IT security posture.

Security controls are planned

As noted above, security requirements are yet to be fully developed either in formal planning documentation or within other supporting documentation and internal communications produced by INFC, the third-party contractor or SSC.

Current delays in identifying security requirements is in part due to project management generally accepting that SSC, with its prescribed responsibility to host Government of Canada departmental IT systems, will provide sufficient cyber security controls for the protection of SIMSI. This position taken by the project management team is principally derived from the Order in Council in concert with an acceptance of SSC's broadly termed cyber security directives as being adequate.

However, as a result of significant efforts in system planning and in lieu of well-defined security requirements, several architecture and migration planning documents exist that include broad descriptions of planned / assumed security controls. These include: Antivirus, Network zoning, firewalls, and intrusion detection / prevention. Furthermore, the current planned / assumed security controls are generally commensurate with the existing security controls as implemented and managed by the third-party contractor.

Recommendation 3: INFC Senior Management should identify and define security requirements based on system criticality and sensitivity and ensure appropriate controls are established and formally communicated to SSC prior to the SIMSI migration.

Management Response: Management accepts this recommendation. Two actions will be taken: IMIT will document the security profile of the SIMSI systems using the current government security standards, and ensure that the security requirements for SIMSI are communicated to SSC; and, IMIT will take the necessary actions to ensure that gaps are appropriately addressed in order to 'Go-Live'.

Recommendation 4: INFC Senior Management should validate the results and reliability of the threat and risk assessment conducted by the third-party contractor.

Management Response: Management accepts this recommendation. The vendor conducting the Threat and risk assessment will be providing an attestation regarding the independence of its security team in developing the Threat and risk assessment for the SIMSI systems. In addition, IMIT will complete an Independent Verification and Validation of the Threat and risk assessment being performed on the SIMSI systems.

5.5 Business and Solution Design

It was expected that INFC would have established and defined system and solution requirements that described the specific system attributes and business processes. A detailed design of the solution for use by partners and developers would be in place and ready for the execution / implementation.

Business and Solution Design

Conclusion:

While business requirements documentation and supporting documents were established early in, and throughout, the project lifecycle, they were neither complete nor fully developed. Areas identified for improvement included:

  • Developing and finalizing business, functional and system requirements for SIMSI Migration, ensuring the architecture and planned controls link to the defined requirements.

Solution design and planning preceded the development of key requirements

Initially, the plan was to migrate the complete SIMSI system as is from the third-party contractor to the SSC datacentre. However, preliminary planning activities identified some technical constraints, which increased the migration's technical complexity and led to a reduction in scope of the SIMSI migration. Even with a scope reduction, there was limited analysis and development of key requirements and the project proceeded almost directly into designing a solution.

The primary business requirements document outlines activities related to the transition of the system to SSC. However, it does not describe INFC's business and functional requirements and does not provide relevant information for the successful development of new IT infrastructure for the hosting of SIMSI at SSC's datacentre.

The project information and documentation specifying requirements that were necessary for efficient systems development are either missing or incomplete. Specifically, the following requirements were not fully developed and finalized: Business Requirements, Operational Requirements, Functional Requirements, Security and Privacy Requirements, Availability and Integrity Requirements, and, System Capacity and Scalability Requirements. While elements of these requirements exist in various working documents, it was difficult to piece together the information from the various sources.

As such, the migration plan was developed without a full understanding of the business, functional or technical requirements, which is what is normally done for system migration projects.

System design and architecture lack traceability

The project did have several versions of the high level solution design and logical network/infrastructure architecture, a Relocation Strategy and Planning document, broadly termed and planned security controls for the new SIMSI environment, although they are populated with many assumptions. Furthermore, current planned system architecture for SIMSI generally maps to the existing architecture and appears to meet SIMSI technical needs.

However, there is a lack of clarity and traceability in how design and architecture documents and plans reflect defined requirements. This can mostly be attributed to the lack of completeness and clarity in defined requirements. Without clarity and a horizontal understanding on how the solution design will meet requirements, INFC may encounter further delays in system migration and may be challenged in gaining reasonable assurance that the newly architected and implemented hosting infrastructure and related controls are appropriate for the system or meet INFC requirements.

Recommendation 5: INFC Senior Management should further develop and finalize business, functional and system requirements for the SIMSI Migration, ensuring the architecture and planned controls link to the defined requirements.

Management Response: Management accepts this recommendation. Three actions will be taken: IMIT will complete an Independent Project Health Check to review the completeness of INFC business functionality; IMIT will ensure that INFC business users perform a business validation prior to the blackout period (targeted to be August 14, 2014); and, IMIT will complete a project closeout including a requirements traceability matrix to ensure that defined requirements were satisfied.

6 CONCLUSION

Overall, INFC has put in place governance processes and procedures to support the overall management of the SIMSI migration project. The project has been integrated into INFC's Departmental governance framework. Although delayed, most elements expected of a project management control framework have been put in place. Technical and system requirements are progressively being developed and incorporated into system implementation plans. SIMSI migration timelines have been delayed due to internal and external factors and project management anticipates that the migration will be completed by October 2014. Areas identified for improvement included:

  • Re-assessing resource competencies and internal resource capacity to reduce the risk of gaps at migration.
  • Ensuring that future projects of this size and complexity have business cases developed in accordance with INFC's Policy for IT-Enabled Projects.
  • Identifying and defining security requirements based on system criticality and sensitivity and ensuring appropriate controls are established and formally communicated to SSC prior to the SIMSI migration.
  • Validating the results and reliability of the threat and risk assessment to be performed by the third-party contractor on the SIMSI system in advance of the migration.
  • Developing and finalizing business, functional and system requirements for SIMSI Migration, ensuring the architecture and planned controls link to the defined requirements.

Management is in agreement with the audit findings and recommendations. Management has developed action plans to address the recommendations which have been included in the report.

7 STATEMENT OF CONFORMANCE

The audit conforms to the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.

8 MANAGEMENT RESPONSE AND ACTION PLAN

  Recommendation Management Action Plan OPI and Due Date
1 INFC Senior Management should re-assess resource competencies and internal resource capacity to reduce the risk of gaps at migration. Management accepts this recommendation. Two actions will be taken:
  1. IMIT will complete a staffing plan to ensure that organizational resource capacity and competencies exist to support the SIMSI systems during the post-migration phase.
  2. IMIT will complete an Independent Project Health Check, which will include a review of the staffing plan and readiness.
CIO
  1. July 18, 2014
  2. August 1, 2014
2 INFC senior management should ensure that future projects of this size and complexity have business cases developed in accordance with INFC's Policy for IT-Enabled Projects. Management accepts this recommendation.
  1.  Business cases have been developed for all IM / IT projects in accordance with the INFC policy with the exception of the SIMSI migration project. The current suite of Departmental IM / IT policies will be reviewed and updated to address project risks for decision-making as well as business case requirements for all types of projects, including mandatory projects initiated in relation to Government of Canada priorities.
CIO
  1. March 31, 2015
3 INFC Senior Management should identify and define security requirements based on system criticality and sensitivity and ensure appropriate controls are established and formally communicated to SSC prior to the SIMSI migration. Management accepts this recommendation. Two actions will be taken:
  1. IMIT will document the security profile of the SIMSI systems using the current government security standards, and ensure that the security requirements for SIMSI are communicated to SSC.
  2. IMIT will take the necessary actions to ensure that gaps are appropriately addressed in order to 'Go-Live'.
CIO
  1. July 25, 2014
  2. September 26, 2014
4 INFC Senior Management should validate the results and reliability of the threat and risk assessment conducted by the third-party contractor. Management accepts this recommendation. Two actions will be taken:
  1.  The vendor conducting the Threat and risk assessment will be providing an attestation regarding the independence of its security team in developing the Threat and risk assessment for the SIMSI systems.
  2.  In addition, IMIT will complete an Independent Verification and Validation of the Threat and risk assessment being performed on the SIMSI systems.
CIO
  1. August 14, 2014
  2. November 28, 2014
5 INFC Senior Management should further develop and finalize business, functional and system requirements for the SIMSI Migration, ensuring the architecture and planned controls link to the defined requirements. Management accepts this recommendation. Three actions will be taken:
  1. IMIT will complete an Independent Project Health Check to review the completeness of INFC business functionality.
  2. IMIT will ensure that INFC business users perform a business validation prior to the blackout period (targeted to be August 14, 2014).
  3. IMIT will complete a project closeout including a requirements traceability matrix to ensure that defined requirements were satisfied.
CIO
  1. August 1, 2014
  2. August 14, 2014
  3. November 28, 2014

Appendix A: Audit Criteria

I. Governance

INFC's SIMSI project and migration management team/personnel have provided adequate governance over the project to ensure that the project is adequately defined and approved by senior management and the business, and technical resources are assigned. Governance procedures are in place and designed to keep management informed of the migrations progress.

II. Project Management

INFC established a project management approach that is commensurate with the size, complexity, and Government of Canada and Departmental policy requirements of the project. Project management controls provide adequate oversight of the project (financial, meeting deadlines, etc.), appropriate involvement by the stakeholders, iterative evaluation of risks, monitoring of issues, and escalation of issues where required.

III. Business and Solution Design

INFC have established and defined system and solution requirements that describe specific system attributes and business processes. A detailed design of the solution for use by partners and developers is in place and ready for the execution / implementation phase.

Date modified: