Audit of Cyber Security Governance and Risk Management

1. Background

1.1 Overview

Globally, cyber security has been ranked as the current and future top risk for organizations by the IIA's Risk in Focus 2025 (PDF) report. This ranking is consistent with OSFI's risk outlook.

NIST^{Footnote 1} describes cyber security as the process and controls related to preventing, detecting and responding to cyber incidents. Cyber incidents can have operational impacts, such as data loss, as well as reputational impacts, if stakeholders lose trust in OSFI due to the perception that OSFI cannot safeguard sensitive information. As a result, robust cyber security processes, supported by both the CIO and CSO teams, are critical to ensuring the integrity, availability, and confidentiality of OSFI's information.

Effective governance and risk management are essential to ensure cyber security risks are appropriately identified, assessed, and managed in alignment with OSFI's risk appetite. An effective cyber security governance and risk management structure should ensure accountability is clear across all stakeholders, with defined roles and responsibilities, to ensure that the decision-makers are well informed of OSFI's cyber security's exposures, mitigation strategies and responses.

1.2 Context on Why We Did This Audit

In the six years since the most recent engagement in this area, OSFI's cyber security risks have escalated, with the shift to a hybrid work environment and transition to the cloud along with increasing sophistication and frequency of cyber incidents targeting government institutions. This audit is the first engagement in a broader cyber security audit program and focused on the governance and risk management processes supporting cyber security operations.

2. Summary of Audit Results and Findings

2.1 Overview of Results

While OSFI has established cyber security governance and risk management processes, a resource-constrained environment and rapidly evolving risks underscore the need for improvement in the adaptability, integration and timeliness of risk management and oversight processes to enhance the effectiveness of preparedness and risk responses.

Overall, Internal Audit has identified three specific areas to enhance governance and risk management of cyber risk, including:

• Clear communication and escalation of Sector information to enable executive oversight;
• Clarifying processes, roles, and responsibilities at the operating level; and
• Integrating risk-focused strategic planning with on-going operational requirements.

2.2 Management Response

Management agrees with the findings and recommendations contained within this report and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

3. Key Findings

3.1 Governance and Oversight Processes

Effective cyber security governance and oversight require systematic and timely reporting to ensure accountability and effective decision-making.

What We Found

At OSFI, the Executive Committee (EC) provides oversight of operations, supported by other committees and sub-committees, including the Management Oversight Committee (MOC) and the Enterprise Risk Management Committee (ERMC). While these committees have defined terms of reference, IA did not find accountability and reporting mechanisms that supported effective EC oversight. Specifically, IA noted:

• Lack of clear standards and communication mechanisms to ensure consistency in the reporting of risk information and progress on approved plans from operational teams to EC. For example, cyber risk escalation to EC was driven by external events or through the CRO's updates, without a systematic reporting line between EC and the operational teams.
• OSFI does not currently provide the CIO direct access to the Superintendent, as required in the Policy on Service and Digital, hindering timely communication of critical cyber risk information and active cyber incidents and response.

Why It Matters

Without access to relevant, timely, and integrated information, decision makers do not have an adequate understanding OSFI's overall risk exposure, which may limit the effectiveness of decision-making in supporting risk management and resource allocation.

3.2 Risk Management Challenge & Assessments

An effective risk management function is one that supports executive decision-making and accountability by providing independent monitoring and challenge of the effectiveness of risk management programs.

What We Found

OSFI's risk management function consists of the Enterprise Risk Management (ERM) and Internal Risk Management (IRM) teams. Established risk management processes include quarterly CRO updates to EC, Risk and Control Self-Assessment (RCSAs), etc. During the audit, IA noted some gaps in the risk management function's oversight and challenge for cyber security risk management, including:

• Lack of clarity around how ERM fulfils its monitoring and challenge role, especially for priority risks outside the RCSA process, to support senior management oversight and decisions.
• Limited progress on establishing Key Risk Indicators and other defined measures to escalate risk information between the business line and ERMC, may have limited ERMC's ability to subsequently advise EC on risk oversight.
• The risk management function's planning mechanisms did not incorporate proactive alignment with operational and internal audit activities, which resulted in the deferral of planned activities to FY2025-26.

Why It Matters

Without robust risk management monitoring and challenge, senior management has reduced visibility into the effectiveness of cyber security risk management, which may hinder oversight and decision-making.

3.3 Risk-Based Management

Integrated and risk-based resource management can enable agility in the reallocation and reprioritization of activities to adapt to changes in the risk environment.

What We Found

OSFI lacks a defined resource management process to clarify expectations and steps for Sectors to follow for resource allocation or requests. This gap created inconsistencies in resource requests relating to cyber security, requiring the establishment of a tiger team to propose resource management solutions.

The broader resourcing mechanisms, including interim measures such as the Resource Management Committee, will be further examined in the Audit of Budgeting and Financial Management for enterprise-wide implications.

Additionally, at both the Sector and divisional level, there is a lack of information to demonstrate how existing resources are being utilized across the different risk and operational priorities, limiting the effectiveness of resource reallocation decisions.

Why It Matters

Without integrated risk-based resource management, OSFI may not have adequate information to understand the impacts and be agile and prudent in managing existing resources.

3.4 Staffing Planning & Talent Management

Effective talent management mechanisms enable OSFI to ensure that it can effectively recruit and retain employees with the skillsets it needs.

What We Found

OSFI's ongoing recruitment and talent retention efforts are challenged by increased competitiveness for qualified cyber security talent, requiring proactive measures to support OSFI in attracting and retaining the talent it needs. IA noticed some gaps in OSFI's current staffing planning, recruitment, and retention processes related to the area of cyber security, including:

• Staffing planning and approval processes are conducted inconsistently, preventing OSFI from being proactive in cyber security resource planning to meet future skills needs.
• Succession planning was inadequate for certain critical positions such as the Director, Cyber Security, resulting in the use of various interim stop-gap measures rather than long-term solutions.
• External compensation benchmarking for cyber security-relevant positions has not been performed recently. Management has indicated that this resulting lack of competitiveness has led to staffing delays.

Why It Matters

To ensure it attracts and retains the talent it needs in this highly competitive industry, OSFI needs to be proactive in its planning and in ensuring it can attract and retain its workforce by offering competitive compensation packages.

3.5 Strengthening the Accountability and Agility of CIO and CSO Roles

As established by the GC Enterprise Cyber Security Strategy, strong, defined relationships and communication between CIOs and CSOs are essential to managing cyber security risks.

What We Found

TBS and OSFI policies identify three key accountable parties for cyber security related risks - the CIO, the CSO, and the Designated Official for Cyber Security (DOCS). While the CIO is broadly responsible for IT security, the DOCS (reporting to the CIO) is responsible for cyber security planning and integration specifically. Comparatively, the CSO is broadly responsible for OSFI's overall security posture and culture.

While both the CIO and CSO teams have taken steps to establish processes outlining their role in managing cyber security-related risks, IA noted some gaps, including:

• A lack of delineation of process ownership between the CIO and CSO groups to clarify how the teams navigate overlapping areas of responsibility, which may create ambiguity in accountability.
• Some processes reviewed either not documented or were out of date, which limits consistency in how risks are managed across different stakeholders.

Why It Matters

Without clear accountability and defined processes, business lines may not be able to effectively manage and respond to cyber security risks.

3.6 Other Matters - Training and Awareness

Effective training is essential to ensure that staff understand cyber security risks and how to avoid them to minimize cyber incidents.

What We Found & Why It Matters:

There were established cyber security mandatory training and awareness programs, as well as annual refreshers and enterprise-wide initiatives, such as cyber security awareness month.

However, failure rates are not used to identify need for targeted/remedial training, which may result in training not effectively mitigating the risk of cyber incidents arising from employee actions.

Appendix A - Recommendation Ratings

Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Recommendations are ranked according to the following definitions:

• High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
• Mediu m Risk: a control weakness or operational improvement that should be addressed in the near term.
• Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.

Appendix B - Key Terms & Acronyms

CIO Chief Information Officer - designated official responsible for leading the departmental IT, information, and data management functions. COO Chief Operating Officer - Assistant Superintendent overseeing the Corporate Services Sector, including the CIO and CSO functions. CSO Chief Security Officer - designated official responsible to the deputy head or to the departmental executive committee to provide leadership, coordination and oversight for departmental security management activities. ELT Executive Leadership Team - representing the membership of OSFI's executive committee. FINTRAC Financial Transactions and Reports Analysis Centre of Canada - Canada's financial intelligence unit and anti-money laundering and anti-terrorist financing supervisor. IIA Institute of Internal Auditors - global leader in standards, certification, education, research, and technical guidance for internal audit as a profession. SGO Strategic Governance Office - supports OSFI's governance bodies in fulfilling their mandate, including performing secretariat functions. TB Treasury Board - a federal Cabinet committee responsible for managing federal government operations, including through defining policies and rules, such as for IT management.

Appendix C - About the Audit

C.1 Objective

To assess the effectiveness of cyber security processes including:

• The effectiveness of cyber security risk identification and assessment processes to ensure the completeness and consistency of risks (Sprint I); and
• The effectiveness of governance, oversight, and decision-making around risk response and resource prioritization as part of the cyber security risk management program (Sprint II).

C.2 Scope

The overall scope of this audit was the period between April 1, 2023 and March 31, 2024. Areas within scope included:

• Sprint I: Cyber security risk identification and assessment processes, including associated roles and responsibilities, governance and oversight, and threat assessment processes.
• Sprint II: Risk response, governance, and resource prioritization processes, including planning and decision-making, risk response action plans and monitoring, resource analysis, allocation, and prioritization.

Adjustments to Planned Scope: The initial audit scope included coverage related to third party risk management and recovery processes. However, during the audit, first-line had initiated work in these areas, which required adjustment to timing, specifically in:

• Third-Party Risk: The first line is obtaining an externally resourced assessment of third-party risk, including development of a third-party risk framework.
• Recovery Processes: There is a significant refresh of OSFI's Business Continuity Plan (BCP) underway, including revision of Business Impact Assessments (BIA) and operational continuity planning.

Given that these changes have a significant impact on current processes, audit coverage of these areas has been deferred, and will be assessed as part of the FY2025-27 RBAP processes to ensure assurance activities add value. IA will also monitor progress on the initiatives identified to identify potential advisory opportunities.

C.3 Approach and Methodology

The audit leveraged agile methodologies and used a phased approach to cover cyber security risk management and governance processes, including those within the CIO and CSO groups, as well as broader enterprise-wide processes.

The audit was conducted through document reviews, interviews, and process walkthroughs. Limited sample-based testing was conducted to assess the operational effectiveness of governance processes.

C.4 Audit Criteria

The following criteria were established for this audit (based on the scope adjustment outlined above):

C.5 Statement of Conformance

This review was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, consistent with the TB's Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

C.6 Previous Audit Engagements

IA previously conducted an audit of OSFI's cyber security practice in 2018. The audit focused on cyber security processes and controls; and audit recommendations were issued for the consistent application and oversight of security practices for handling sensitive industry information. All recommendations have since been addressed by management and closed by IA.

Additionally, IA conducted a review of policies and practices related to information security in 2023. Three recommendations were issued relating to risk management processes and accountabilities, tracking of risk mitigation activities, and updates to security policies and training programmes. These recommendations are currently in-progress for implementation.