This audit was approved by the Departmental Audit and Evaluation Committee for 2004 - 2005 and was conducted during the period from November 1, 2004 to March 22, 2005. The Intranet was identified as a key management concern by the Chief Information Officer during annual management consultations, undertaken when planning departmental audits.
Overall, we believe this report will help management better understand and enhance its use of the Intranet as a corporate communications tool. The report also provides clear recommendations against which future spending on the Intranet can be assessed. The overall conclusion of the audit is that FAC is not realizing potential returns on its investment in the Intranet.
The audit found that the overall management framework for the governance of the FAC Intranet lacks a clear strategic direction. Inaccurate and outdated content on some FAC Intranet Web sites has reduced user confidence in all Intranet content. There is a need to improve processes and quality controls for managing, maintaining and withdrawing content published on the FAC Intranet.
The audit revealed limited user awareness of the content available on the FAC Intranet. Many FAC Intranet Web sites are unstructured and difficult to navigate, search engines are ineffective and frustrating, and the effective capacity of the network at some missions is not sufficient to access this information. Some missions (Paris, London, Washington, etc.) had Intranet sites that were not compliant with the Official Languages Policy. The audit also raised issues related to security, Intranet technology and application consolidation, and tracking the costs of ownership.
The audit recommends establishing a governance structure, developing an Intranet strategy, implementing content standards and related quality controls, improving search functionality, ensuring missions have adequate effective capacity for their Intranet needs, and mitigating security risks related to Intranet content. The audit recommends that the DMA assign responsibility for the management of the Intranet to the Communications Bureau (BCD). To implement the recommendations, it is recommended that an Intranet Steering Committee and an Intranet Editorial Board be established. This report assumes that there will be ongoing participation from the office of the Chief Information Officer (CIO) in all aspects of the emerging governance structure for the Intranet.
During audit briefings, we noted that the department has already taken concrete steps to establish a framework in which to implement key components of the report. As with any undertaking of this magnitude, the implementation of the recommendations should be phased and in consideration of the operational constraints of content owners.
The objectives of the audit were to:
The audit was performed in accordance with Treasury Board Policy on Internal Audit and the requirements and guidelines outlined in "The Professional Practices Framework" of the Institute of Internal Auditors (IIA).
The audit criteria were based on applicable COBIT Note 1 requirements, as well as departmental and Treasury Board Secretariat policies and procedures. Sufficient audit work has been performed and the necessary evidence gathered to support the conclusions reached in this audit report.
Audit findings are presented in the following categories:
The content of the FAC Intranet is not regulated by consistent operational-level management direction and controls. There is considerable variation across Intranet sites and development environments. This leads to inefficiencies and frustrations for the users, and higher support costs.
Although there is some anecdotal evidence of cost tracking, in general the department does not know the costs of the Intranet related to managing, publishing, maintaining, and retiring Intranet content. Consequently, governance of the intranet must be performed without a key piece of information to support management decisions. The audit identified areas for increased efficiencies and potential cost reduction by harmonizing application development technologies and environments.
FAC Intranet Web sites fail to meet user needs, contain unreliable content, lack feedback channels and have different appearances and unfamiliar Web site layouts. Overall, FAC Intranet content is very inconsistent and inefficient to access. This has resulted in many user complaints and frustration.
The current form of the primary FAC home page - the Panorama Web site - is widely considered to be unstructured, difficult to navigate, unfriendly to users, and largely a duplication of content with broadcast emails. This makes it inefficient and ineffective as a tool for accessing FAC information.
The configuration of Search Engines on the Intranet is ineffective and involves several separate, non-integrated engines that are implemented in an inconsistent manner. The result to the user is slow operation, incorrect results, and overall frustration. This, in turn, leads users to seek their information through less efficient means, such as manual searches, paper searches, or personal contact.
There may be opportunities to reduce Intranet application development costs through harmonizing application development technologies and environments.
Users at some missions are unable to utilize Intranet applications and work tools which are intended to improve productivity. This is due to limited effective capacity. Effective capacity is a function of the network link speed, the applications being used, user patterns and the proper tuning of applications and network. The audit includes recommendations to resolve these capacity constraints and improve mission usage without incurring additional costs for bandwidth upgrades.
The lack of quality controls on material being published to the Intranet has management concerned that there may be sensitive information on the Intranet that may individually or collectively compromise security.
The integrity of the content of some of the reviewed Web sites is low, which exacerbates the efficiency and effectiveness problems noted elsewhere in this report. Inaccurate and outdated content on some FAC Intranet Web sites has contributed to widespread scepticism by staff regarding the accuracy of all Intranet content. User access to Intranet content has been negatively impacted by a lack of commonly accepted page layouts and navigation, and search engines that simply do not work.
Audits are performed to provide management with assurance that control objectives are being met, to identify where there are significant control weaknesses, to substantiate the resulting risks, and to advise management on necessary corrective actions.
The Foreign Affairs and International Trade Canada (DFAIT) Intranet is a corporate tool for the electronic dissemination of departmental communications, tools and services to all employees at Headquarters and the missions. The Intranet was established in order to provide a cost-effective, user-friendly means of internal communications. Initially, the Intranet Web site was developed by the Information Management Technology Bureau. The Intranet is used to disseminate documents such as departmental manuals and directives, Division Web sites, and Panorama broadcast messages. The Intranet also provides access to tools such as the on-line Department directory, and services through applications such as the Human Resources Management System (PeopleSoft). The Intranet uses Internet (World Wide Web) type tools, but is set up on the internal SIGNET network.
The contents of the intranet are not "owned" by the Information Management Technology Bureau, nor is the establishment of an intranet site under any form of centralized "approving" organization within the departments. During annual management consultations the Chief Information Officer identified the Intranet as a key management concern, in particular that there were issues of governance, accuracy or "currency" of content, and ongoing costs that needed to be addressed. In addition, the separation of FAC and ITCan into two departments underscored the need to undertake a comprehensive audit of the Intranet.
The scope of the audit included both the FAC and ITCan Intranets. The audit addressed the areas of:
The audit deliverables and key audit activities included:
A structured sampling approach was used to ensure that the sample represented a broad cross section of Intranet stakeholders, content owners, users and technicians. Although the audit did not survey a large number of managers or employees, interviews were supplemented with the use of electronic tools which allowed testing of Web sites not possible using a manual approach.
"Watchfire", an automated Web site analysis tool, was used to derive specific Intranet technical and performance metrics, including dead links and the efficiency of search engines. The detailed Watchfire reports were run on the primary Intranet server and the results are presented in Section 3.0 of this report.
The ninety-six (96) Web sites examined during the audit resided on the following eight (8) servers at headquarters and are depicted on the high level network diagram below:
Detailed interviews were conducted with a sample of Intranet stakeholders, users, Intranet content owners, webmasters, division and departmental management. Some interviewees had several roles related to the Intranet (e.g., webmaster and Intranet user) and received multiple audit questionnaires during the interview.
A list of interviewees is provided in Appendix A.
The primary server, lbpis02, contained most of the Intranet Web sites audited, including the Panorama homepage which (at the time of the audit) was Foreign Affairs Canada's primary Intranet Web site. Many Intranet Web sites are accessed through links on the Panorama homepage, including Web sites residing on other network servers. The primary Intranet server (lbpis02) is also host to five (5) mission sites (i.e., Beirut, Brussels, Belgrade, Manilla, Oslo). The audit also reviewed five (5) other missions on other servers (i.e., Tokyo, New Delhi, Washington, London, Paris), and two other sites on two other servers on the Intranet.
The number of sites audited on each server is listed in the table below.
|Server||URL||Primary Role||Total Sites|
|lbpis02||http://intranet||Panorama PLUS others||70|
|lbpk01||http://corpapps||EQAMS, PubReg, Directory||3|
|lbpcat01||http://lbpcat01.capps||CATS, Tech Library||1|
|lbpk06||http://notespub01.dfait-maeci.gc.ca||Competitions, Acq Pol DB||2|
|albertpr||http://srdweb||Property, Materiel, Mail||1|
|lbpkz02 (on Internet)||http://pubx.dfait-maeci.gc.ca||Pubs Catalog||1|
A detailed audit plan identified all audit activities and the audit schedule. The status of the audit was monitored through weekly team meetings and through bi-weekly status reports. These meetings also provided an opportunity for the audit team to leverage ZIV organizational knowledge and guidance.
There is no executive level steering committee with the explicit mandate to establish Intranet strategy, develop related policies, and to ensure that they are implemented. Consequently, individuals operate independently and make more narrowly-based decisions, limiting Intranet effectiveness.
There is no strategy which would link the overall departmental goals to the goals and objectives for the Intranet, to the policies for management of information content, and to the Intranet infrastructure. This lack of direction is the root cause of many of the other problems observed during this audit and inhibits the resolution of these problems.
The lack of clarity regarding the fundamental purpose and role of the FAC Intranet causes conflicting understanding and interpretation by management and staff. This, in turn, creates inefficiencies through duplication, conflicts, and unmet user needs.
Many Intranet content owners identified the need for an Intranet Steering Committee that would establish the vision and strategy for the Intranet. It was suggested that the vision state the purpose of the Intranet and how Intranet content can assist in achieving corporate objectives.
An unclear understanding of the role and purpose of the FAC Intranet has contributed to difficulties in establishing priorities, inefficient decision making, and significant variations in the quality of FAC Intranet content. Although Intranet infrastructure operates efficiently, the content (material) on the FAC Intranet is not being effectively used to support internal communications.
Without a defined role and purpose for the Intranet, decisions may be based on unclear priorities and effort may be expended on initiatives that do not relate to making the FAC Intranet a more efficient and effective corporate communication tool. However, defining the role and purpose of the Intranet will not yield benefits unless it is clearly communicated to managers and staff with Intranet responsibilities.
There is a need for a high level strategy for the Intranet that clearly defines the role and purpose of the Intranet as a corporate communications tool. Communication paths may be between individuals, between departments, between departments and individuals, and between managers and staff, etc. The strategy and governance structure for the Intranet should address:
The Communications Division (BCD) currently manages the Department's Internet Web site. Like the Department's Internet site, the Intranet should be managed by communications experts within FAC. This report assumes that there will be ongoing participation from the office of the Chief Information Officer (CIO) in all aspects of the emerging governance structure for the Intranet.
The Horizons Intranet Web site was observed to have a clearly communicated role and purpose. Its mandate is to support ITCan personnel in the field with "usable and actionable" content. Its policies and standards are defined by a committee of stakeholders, and quality controls are implemented by the Horizons Team. The audit found that Horizons content was current, consistent with user need, and widely used by Trade Commission Service employees.
1.1.1 DMA assign responsibility for the management of the Intranet to BCD. This recognizes the Intranet as a corporate communications tool.
1.1.2 BCD set-up an Intranet Steering Committee that is executive level and broadly based. The Steering Committee should clearly define:
Action and Time Frame
1.1.1 DMA agrees. BCD was assigned the responsibility for managing the Intranet at the Management Committee meeting of April 20, 2005. Management committee also agreed to the following items:
Time Frame: Management Committee has now charged SCMA with the task to estimate the overall resource requirements for an Intranet overhaul.
BCD Response: BCD has accepted responsibility for management of the Intranet and management of the FAC content.
BCD Time Frame: Dependent on adequate resources.
1.1.2 A co-chaired ITCan-FAC Steering Committee has been initiated and Terms of Reference have been drafted. Additional membership requirements will be determined with the CIO upon approval of Terms of Reference.
Time Frame: Terms of Reference (TOR) completed on December 15, 2005.
The content of the FAC Intranet is not regulated by consistent operational-level management direction and controls, which allows considerable variation across Intranet sites and development environments. Web site variation leads to user inefficiencies and dissatisfaction, while the variety of development environments contributes to economic inefficiencies.
The extent of quality control is limited and the adherence to existing Web site design guidelines is inconsistent, resulting in significant variation across Intranet Web sites. The lack of clarity regarding the standards for FAC Intranet Web site layout and appearance leads to user inefficiencies, typically in the form of time lost due to different navigation styles and site layouts, and inconsistent page design conventions. Many users suggested the need for a common structure and appearance to FAC Intranet Web sites in order to reduce the learning curve and improve usability. The efficiency of users is diminished when they are required to learn new Web site layouts. Similarly, development costs are increased as time is spent designing new Intranet layouts.
Existing style guidelines are not followed because they are not considered by webmasters to be adequate or compliant with common Internet conventions. FAC Divisional Intranet Web sites, however, could reasonably be expected to follow standards for "look and feel". Illustrations of some Intranet Web site variation include:
Similarly, this variation of appearances exists among mission Intranet Web sites, including those residing on the main Intranet server:
The criteria and management controls for publication of content to the FAC Intranet are inadequate. The responsibilities for establishing management controls and monitoring compliance are not effectively defined and implemented. Without clear criteria and management controls governing publication of content to the Intranet, ensuring the consistent application of departmental protocols is difficult.
The Department would benefit from the establishment of an Intranet Editorial Board. Its mandate would be:
This board would be comprised of webmasters and content owners, or their representatives, from Divisions with significant content on the FAC Intranet. The development and implementation of policies and standards by the Intranet Editorial Board will need to acknowledge the time and budget constraints of Intranet content owners. A phased implementation approach is appropriate.
1.2.1 BCD establish an Intranet Editorial Board.
Action and Time Frame
1.2.1 The framework for an Intranet Editorial Board is being drafted for submission to the Steering Committee when the TOR have been accepted by BCD, CSM, and the CIO.
Time Frame: Under way, pending approval of the TOR.
The cost of ownership related to managing, publishing, maintaining, and retiring Intranet Web site content is not being tracked. Consequently, governance of the Intranet does not have the benefit of a key piece of information (i.e., content management costs) that would support good management decisions.
There was interest by senior management in knowing the costs of ownership related to the Intranet so that resources could be better justified or optimized. However, audit interviews clearly indicated that there were no defined processes for determining and tracking the total cost of ownership for the Intranet. The lack of cost data precludes the opportunity to calculate return on investment or undertake comparative benchmarking against other organizations over the longer term.
The only information related to cost of Intranet ownership that was available during the audit were anecdotal estimates of the cost related to the part of the Intranet that individual managers were most familiar. Isolated instances where costs associated with the Intranet were known included: the budgeted base costs for SXED, the costs of in-house (SXED) application development (tracked through a cost recovery program), the costs of contracted Intranet application or Web site development projects, the costs of corporate assets (hardware and software) used to manage the Intranet, and the full-time equivalent (FTE) allocations to the development and maintenance of some Intranet Web sites. For example:
The audit observed that for those Intranet development projects where costs had been tracked, there was often a failure to consider the true cost of ownership (e.g. ongoing maintenance of content, technical upgrades/support, etc.).
Without measures of the cost of ownership for Intranet content, management must define priorities and allocate resources among competing corporate priorities with less than complete information.
1.3.1 BCD, through the Intranet Steering Committee, implement processes to capture the costs of managing Intranet content.
1.3.2 BCD, through the Intranet Steering Committee, track and regularly review the costs of managing Intranet content and report to the Executive Committee.
Action and Time Frame
1.3.1 BCD will report on the resources and expenditures that are incurred through the Communications Bureau.
Time Frame: Under way.
1.3.2 The Steering Committee will track the costs to the Communications Bureau for management of the Intranet to BCD and the CIO prior to reporting to Executive Committee.
Time Frame: The first report will be delivered to BCD on April 28, 2006.
User efficiency and effectiveness is diminished due to the existence of FAC Intranet Web sites that contain unwanted content, lack feedback channels and have unfamiliar Web site layouts. Overall, FAC Intranet content is very inefficient to access, resulting in many user complaints and examples of frustration.
Auditees identified the following characteristics of FAC Intranet content as factors which limited user efficiency and effectiveness, and contributed to user frustration:
The content of many of the FAC Intranet Web sites is often not aligned with user needs. Many of the FAC Intranet Web sites were described by users as a repository for archived information rather than a tool that is focussed on addressing user needs. Several auditees emphasized the importance of determining what users want from the Intranet, and then verify that what is provided meets user expectations. However, there is no established process for assessing how well the FAC Intranet meets user needs. Without knowledge of levels of user satisfaction, it is difficult for Content Owners to determine how effectively their Intranet Web site meets user needs. An example of desired content included adding more information in the Career Cycle area which currently has a focus on rotational staff.
Inaccurate or outdated content may provide users with incorrect information. Scepticism regarding the reliability of FAC Intranet Web sites may cause users to disregard accurate Web sites. The Intranet is ineffective as a self-service tool when users must "go to the source to get the most up-to-date information". The audit did note that the SMD Intranet Web site has a sunset clause for all information that appears in the "what's new" section to ensure that outdated content is removed in a timely manner.
User feedback (e.g., suggestions, error reporting, user questions, etc.) may go unreported when content owners are not identified and feedback channels are not provided.
If common look and feel guidelines are adopted for Intranet Web sites, many content owners request that they not be too prescriptive, thus providing some flexibility in how the site appears. Any standards adopted should address content management, site development and quality management.
a) Content management would include:
b) Site Development includes:
c) Quality Management would include:
2.1.1 BCD, through the Intranet Editorial Board, establish clear operational standards for Intranet site content.
2.1.2 BCD, through the Intranet Editorial Board, initiate remediation of existing Intranet sites to new standards. The Editorial Board should acknowledge content owner time and budget constraints when implementing new policies and standards. A phased approach is recommended.
Action and Time Frame
2.1.1 The Intranet Editorial Board will be responsible for the creation and the dissemination of clear operational standards on content to site owners.
Time Frame: Under way.
2.1.2 The Intranet Editorial Board in cooperation with SXED will review the adherence to standards of the content as it is migrated to the redesigned Intranet. Remediation reports will be reviewed and issued to content owners as required.
Time Frame: March 31, 2006.
The current form of the main Intranet homepage - the Panorama Web site - (screenshot below) is widely considered to be unstructured, difficult to navigate, unfriendly to users, and largely a duplication of content with broadcast emails. This makes it inefficient and ineffective as a tool for accessing FAC information.
It is critical that the main Intranet homepage be structured so as to allow users to find the information they need quickly. At the time of the audit, the structure of Panorama was not intuitive and the Web site was considered by users to be difficult to navigate. Several examples of time wasted searching for links or information on Panorama were provided, including excessive effort spent searching for corporate guidelines (Also see Section 3.0 "Dead Links, Orphan Pages, Stale Pages").
Users suggested the criteria and priorities of links listed on the main Intranet homepage could be better defined. For example, the prominence of the daily Broadcast message on Panorama's opening screen was challenged because it is information that is repeated in a daily email to all users.
It was frequently stated that the opening page of Panorama is not structured in a way that provides an intuitively user-friendly means to answer questions (e.g., How many staff at a mission?, etc.). Staff want an Intranet that is more client centric and less organizationally structured. For example, including such things as a "Question and Answer" format that provides information on the location of training applications or forms. Currently, the primary Intranet homepage (Panorama) is a collection of links to stand alone Web sites with little integration and linkage across sites.
The Panorama Web site does not follow common Internet protocols related to such features as left navigation (versus the right navigation used by Panorama), and underlined hyperlinks (not underlined in Panorama).
The Department's investment in the FAC Intranet has been marginalized as a result of limited staff awareness of content and sites available. As a result, users do not experience the benefits (effectiveness) that they could from the FAC Intranet. In addition, there is no overall communication plan that addresses the strategy for promoting FAC Intranet content to users.
The layout of the Horizons Web site was widely regarded as efficient and effective. It is structured around how the information will be used rather than the structure of the organization.
For example, the opening menu is based on "Clients", not business lines.
Additional examples of Intranet sites that were suggested as good examples during the audit included:
2.2.1 DMA define BCD as the owner of the main Intranet homepage.
2.2.2 BCD, through the Intranet Steering Committee, identify owners for all other Intranet Web sites.
2.2.3 BCD, through the Intranet Steering Committee initiate a review of (and overhaul as necessary) all Intranet Web sites to ensure consistency with the new standards.
Action and Time Frame
2.2.1 DMA agrees. The owner of the main Intranet homepage will be BCD as soon as the resources are in place.
Time Frame: Completed September 2005
BCD: Agreed and implemented.
BCD Time Frame: DMA has assigned ownership of the main Intranet homepage to BCD. BCP now manages the main page of the Intranet.
2.2.2 SXEO has provided an up-to-date list of owners of all Intranet applications and content areas.
Time Frame: Completed November 2005.
2.2.3 As indicated in 2.1.2, the Intranet Editorial Board in cooperation with SXED will review the adherence to standards of all Intranet sites as they are migrated to the redesigned Intranet. Remediation reports will be reviewed and issued to content owners as required.
Time Frame: April 2006.
The configuration of Search Engines on the Intranet is ineffective. The Intranet currently has several separate, non-integrated engines that are implemented in an inconsistent manner. The result to the user is slow operation, incorrect results, and overall frustration. This, in turn, leads users to seek their information through less efficient means, such as manual searches, paper searches, or personal contact. This creates the risk that inaccurate search results may lead to decisions based on incomplete or inconsistent information.
Interviewees were adamant that the usability of Intranet content is severely limited by search engines that do not produce accurate results. It was stated that the search engines often do not provide hits where the user knows that a site exists, and searches do not include all of the Intranet Web sites when searching. In the example below, a Travel Expense Claim could not be located by the search engine even though the form is identified on the Intranet.
Factors contributing to ineffective Intranet search engines include:
Considerable Intranet content is not used because users cannot find it using the search engine. A comprehensive description of the cause of this problem is provided in Section 3.0 of this report ("Dead Links, Orphan Pages, Stale Pages").
To overcome the limited functionality of the search engines, the Horizons Intranet Web site has implemented a key word index. Although not a substitute for an effective search engine, content searchability has improved.
2.3.1 BCD, through the Intranet Steering Committee, assign responsibility for the common Intranet search engine(s) to SXE.
2.3.2 SXE define, plan, and implement improvements to search engines.
2.3.3 BCD, through the Intranet Editorial Board, ensure that new Intranet Web sites conform to requirements to support searches.
2.3.4 BCD, through the Intranet Editorial Board, initiate documentation and maintenance of the architecture for Intranet content.
Action and Time Frame
2.3.1 BCP on BCD's behalf has communicated the need for a new Search Engine to SXE.
Time Frame: October 2005
2.3.2 As part of its implementation of the Government of Canada's new standard Web Content Management System (WCMS), SXE is developing a solution based on the Verity software.
Time Frame: F/Y 2006/07.
2.3.3 BCD, in accordance with the identified requirements to be supplied by SXE once the new Search Engine has been determined, will ensure that all new Intranet sites conform to requirements to support searches.
Time Frame: Under way FY 2006/2007.
2.3.4 BCD will ensure the documentation and maintenance of the Information Architecture of the Intranet content. SXE will be responsible for the Technical Architecture to support maintenance of the Intranet.
Time Frame: March 31, 2006
There is an opportunity to reduce the costs of development, maintenance, and support of Intranet applications by harmonizing application development technologies, platforms, and environments. For example, Microsoft Java and Sun Java, very similar technologies, are both currently supported.
There are several Intranet applications that replicate functionality already available on the Intranet. For example, auditees reported that there are numerous Grants and Contributions applications within the Department (some web-based, some SQL applications). There are several contact management systems (e.g., Outlook, Contacts Plus, Act 2000, Maximizer, system maintained by ITCan, and some Divisions have their own). Prior to the development of any new Intranet applications, the use of existing Intranet applications should be considered in order to realize lower overall application development and support costs and reduce duplication of redundant Intranet applications.
Standard requirements or guidelines for the technologies used in Intranet applications have not been applied, especially for applications developed outside the Department.
An opportunity to improve collaboration among Divisions was identified by auditees. The suggested goal was to identify best practices, increase reuse of existing applications and reduce re-invention within the Department.
2.4.1 SXD review and rationalize the platforms and environments for Intranet development and operation.
2.4.2 SXD document and communicate the standards for externally-developed Intranet applications and Web sites.
Action and Time Frame
2.4.1 SXD is moving all Intranet operations to a SIGNET-3 environment, running on a hardware platform built to current SIGNET-3 standards. The upgraded platform will be configured to isolate development, quality assurance and production activities, as recommended by current best practice.
Time Frame: April 2006.
2.4.2 Further to recommendation 2.1.1., SXD will develop operational standards, and support content owners in communicating them to external contractors. FTE resources will be required to be determined.
Time Frame: F/Y 2006/07.
Users at some missions have inadequate access to some Intranet content due to limited effective capacity.
Effective capacity is a function of the network link speed, the applications being used, user patterns and the proper tuning of applications and network. Capacity constraints have made access to the Intranet and its applications very inefficient for some missions.
Poor Intranet response times are limiting the use of some tools intended to improve productivity. At the time of the audit, the Buenos Aires mission stated that virtually all Intranet applications are "painfully slow, to the point that they are either not used at all or, if used, they take so long that they either time-out, do not function regardless of how persistent the user is, or take so long that it has an enormous negative impact on productivity". For example, accessing a travel expense claim form from the Forms@DFAIT application can take as long as fifteen (15) minutes. Action has been taken by the department to address the difficulties experienced in Buenos Aires; however, these experiences may be similar with other applications and at other missions.
The Vienna, Austria Embassy tried to submit a fifteen (15) line posting to the mission Consular Officer "Community of Practice" run by SXKL using Tomoye software, but the user gave up after it took more than thirty-five (35) minutes to upload the posting. Although Communities of Practice have been established in order to share information and seek support from peers, those at some missions cannot participate due to slow network response times.
Factors that contribute to poor Intranet response times include:
There is the risk that users at missions with limited access to the Intranet or its applications will avoid using the Intranet or revert to unapproved options (e.g., locally saved versions of downloaded documents or outdated information, etc.).
2.5.1 BCD, through the Intranet Steering Committee, establish minimum standards of performance for all new Intranet applications and Web sites (e.g., minimum response times).
2.5.2 SXD review existing Intranet applications and Web sites to find means of reducing transfers of large files and forms (caching, reducing file size, etc.).
Action and Time Frame
2.5.1 BCD Response: BCD does not accept responsibility for establishing technical performance standards. SXE, through simulations of low bandwidth locations, should establish the minimum standards to which all Intranet applications and content must conform.
Time Frame: n/a.
ZIV Comments: This response suggests that the recommendation is being interpreted as a technical recommendation. However, the recommendation is for the establishment of user standards or requirements, so that the users can define the performance that they expect. This is the responsibility of BCD through the Steering Committee. It is SXE's responsibility to deliver systems and applications whose performance meets these user standards.
This comment is being provided as a clarification in order to expedite final issuance of the report.
2.5.2 SXD Response: New operational procedures to come with the re-designed Intranet will include as an objective the need to reduce transfers of large files. They will be supported by the new Web Content Management System (which should reduce the need for transfers) and improvements in the network (which should ease constraints on transfer).
Time Frame: F/Y 2006/07.
The lack of controls on material being published on the Intranet has management concerned that sensitive information available on the Intranet individually or collectively compromises security.
During audit interviews, the concern was raised that locally engaged staff with limited security clearance have access to information on the Intranet, such as personal information and property descriptions, that may collectively be sensitive. The audit found that a quality control process was not implemented to ensure that Intranet content was appropriately classified prior to its publication to ensure that it does not compromise security. Although there is general awareness of the importance of security, there is a need to reinforce security with respect to Intranet content.
Quality control criteria for publication to the Intranet, including content security classification procedures, are not defined or implemented. The Department needs to assign responsibilities for training of Intranet publishers on the security policies and procedures for Intranet content.
The audit observed alternatives to the Intranet for the dissemination of potentially sensitive information. For example, some Divisions use shared folders instead of the Intranet for the storage and secure dissemination of potentially sensitive information. Shared folders permit better controls over access to sensitive information than the Intranet.
2.6.1 BCD, in consultation with IST, identify and assess the adequacy of existing security policies and procedures related to Intranet content.
2.6.2 ZIV conduct a follow-up security audit of Intranet content in six months to identify outstanding security risks.
2.6.3 BCD, in consultation with IST, educate Intranet publishers on the security policies, procedures and quality control measures.
Action and Time Frame
2.6.1 BCD will work with IST to assess the existing security policies and procedures as relating to Intranet content.
Time Frame: March 31, 2006.
2.6.2 The recommended audit was launched by ZIV on November 30, 2005 and will be completed by March 31, 2006.
Time Frame: Under way.
2.6.3 BCD will contact all Intranet publishers to ensure that security policies, procedures and quality control measures are understood.
Time Frame: April 28, 2006.
The integrity of the content of some of the reviewed Web sites is low, which exacerbates the efficiency and effectiveness problems noted elsewhere in this report.
This situation typically indicates that a site has not been maintained in a state of currency. It is evident in the following ways:
Dead Links - This is the case where a hyperlink points to a page that is no longer valid. It arises when a page has been deleted or moved and the hyperlinks that point to that page (being on other pages and sites) are not updated. Dead links waste the time of users attempting to follow logic threads and links.
Examples of dead links were found only two pages deep from the main Panorama homepage:
http://intranet/menu-e.asp and clicking on "Other Directories" and then on "Listing of Mission Security Officers". This returns an error message: "404 Page Not Found". This is illustrated below.
Links to several examples of orphan files are provided here:
Inaccurate Content - This is the case where the information provided on a web page is not correct. It may arise when information has changed, but the reference has not been updated, or when information has not been validated between two different references. This makes the web experience ineffective and frustrating for users. User confidence is negatively impacted, often leading to users seeking alternative sources for information.The chart below illustrates the extent of orphan pages residing on the principle Intranet server (lbpis02). Inaccurate content may arise because of a disconnect between the content owner and the Web site publisher or application provider, either in changes that have not been communicated to the publisher or in incorrect information provided to the publisher.
An example, provided below, shows a file that was posted in 1997 and has not been modified since.
The inventory of 123,705 pages residing on the primary Intranet server (lbpis02) is categorized by the file date in the chart below. The breakdown reveals that more than half of the pages are three or more years old. Although some of the older Intranet pages are maintained for historical or other legitimate reasons, it is likely that many of the older pages are inaccurate and obsolete.
*123,705 pages on principle Intranet Server (lbpis02)
3.1.1 SXE review all pages on the principal Intranet servers and remove all dead links and orphan pages.
3.1.2 BCD initiate a review by Web site owners of all content for currency and accuracy.
3.1.3 SXE, in consultation with content owners, periodically scan all sites in order to identify and remove dead links, orphans, and stale content.
Action and Time Frame
3.1.1 SXE has reviewed and identified the dead links and orphan pages on the current Intranet site. As noted in recommendation 2.1.2, only re-usable content, which complies with standards, will be migrated to the redesigned Intranet site.
Time Frame: April 2006.
3.1.2 BCD will undertake a review of all Intranet content and contact the respective owners with the results and a recommended action plan. Resource requirements for this task have been addressed in the Intranet Re-design Project.
Time Frame: February 28, 2006.
3.1.3 SXE currently offers this as an on-demand service to content owners. The migration to the newly re-designed Intranet site will eliminate the existing problems. The introduction of new standards and processes, supported by a Web Content Management System, should simplify the task of maintaining current and correct content for content owners.
Time Frame: FY 06/07.
This section identifies those practices which ZIV considers to be best practices.
The Intranet should be considered another Information Technology (IT) service and, therefore, should be managed according to IT management best practices. Control Objectives for Information Technology (COBIT) has been developed as a generally applicable and accepted standard for good practices for IT control. COBIT is based on existing Information Systems Audit and Control Foundation (ISACF) Control Objectives enhanced with existing and emerging international technical, professional, regulatory and industry-specific standards. Examples of best practices and further information on COBIT are contained in Appendix C. ITIL (IT Infrastructure Library) is a widely accepted approach to IT Service Management.
The Headquarters based Intranet Web sites audited were compliant with the Official Languages Policy. The non-compliance to the Official Languages Policy was limited to some mission sites.
The management framework of the Horizons Intranet Web site exemplifies several practices recommended in this audit report. For example, the Horizons has clearly communicated that its purpose is to support ITCan personnel in the field with "usable and actionable" content. The Horizons Intranet site was based on a comprehensive analysis of user needs, and its Intranet Advisory Board regularly reviews performance metrics. A contact person is identified on each Horizons Intranet Web site making it easy for users to ask questions or provide feedback. Processes have been implemented for the ongoing management of new and existing content on the Horizons Intranet, and operational working groups actively manage content to ensure it is usable and accurate. The launch of the Horizons Intranet Web site was accompanied by considerable publicity and education. High levels of user awareness of content increase the likelihood published content will be used, therefore improving the returns on the investment in the Intranet.
|Head, Publishing Service and Intranet Webmaster||SXE|
|Trade Commissioner, Overseas Operations||TCS|
|Deputy Director, Information Organization and Disposition Services||SXKI|
|Communications Strategist, Office of ADM Human Resources||MSV|
|Account Manager, Client Liaison and Partnering Division||SXEC|
|Senior IMT Resource Analyst||SXM|
|Information Technology Advisor, Management Services Division||XDM|
|Team Lead (AMS service Desk)||SXEO|
|Lead Internet/Intranet Web Systems Analyst|
|Acting CIO and DG Information Management and Technology Bureau||SXD|
|Director of Communication Services||BCD|
|Acting Deputy Director, Application Operation||SXEO|
|Deputy Director, Application Development||SXED|
|Deputy Director, Modern Management||DMAX|
|Deputy Director, Overseas Operations||TCS|
|Web Production Manager||SXEO|
|Web Coordinator/Internet Content Manager||PEP|
|Associate Deputy Minister||DMA|
|Senior Project Officer||IBOC|
|Human Resources Management System and Compensation Services||SMD|
|Deputy Director, Foreign Policy and Corporate Communications Division||BCF|
|Deputy Director, Office of Innovation and Excellence||DMAX|
|Director, Outreach Programs and e-Communications Division||BCP|
|Deputy Director, Human Resources Management System and Compensation Services||SMSH|
|Deputy Director, Corporate Security Division||ISC|
|Regional eServices Manager, Export Development Division||TCE|
|Executive Assistant, Headquarters Administration Bureau||SPD|
|Program Officer, Peacebuilding and Human Security Division||AGP|
|Policy Advisor, Canada-US Advocacy and Mission Liaison Division||NUR|
|Systems Administrator, Application Operations Division||SXEO|
|Director General, Communications Bureau||BCD|
|Manager, Application Development and Maintenance||SRBI|
|Server||URL||Primary Role||Splash||Panorama||Colour||Title||Different||Not Found||Total|
|lpbis02||http://intranet||Panorama PLUS Others||42||3||4||16||5||70|
|lbpk01||http://corpapps||EQAMS, PubReg, Directory||1||2||3|
|lbpcat01||http://lbpcat01.capps||CATS, Tech Library||1||1|
|lbpk06||http://notespub01.dfait-maeci.gc.ca||Competitions, Acq Pol DB||2||2|
|albertpr||http://srdweb||Property, Materiel, Mail||1||1|
|lbpkz02 (on Internet)||http://pubx.dfait-maeci.gc.ca||Pubs Catalog||1||1|
Control Objectives for Information and related Technology (COBIT) were developed as a generally applicable and accepted standard to ensure that IT has an effective Management Control Framework and is able to meet client and management expectations. COBIT includes existing international technical, professional, regulatory and industry-specific standards and is now recognized by TBS as an applicable framework for the review and audit of information systems in the Government of Canada.
COBIT is designed to be used by three distinct audiences:
The COBIT methodology indicates that there are a number of different processes consisting of many controls, and there is a systematic way to assess those controls.
COBIT consists of a framework for control in IT based on business information criteria and documented by control objectives organized by IT domains, processes and activities. Each of these areas has in addition to a set of control objectives, a definition and a rationale for control.
Business orientation is the main theme of COBIT. It is designed not only to be employed by users and auditors, but also, and more importantly, as a comprehensive checklist for business process owners. Business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. This includes providing adequate controls. COBIT provides a tool for the business process owner that facilitates the discharge of this responsibility.
The COBIT framework starts from a simple premise: In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. The domains are identified using wording that management would use in the day-to-day activities of the organisation.
For further information on COBIT see the COBIT website.
|Governance and overall management framework||Satisfaction of user and business requirements||Ongoing costs of ownership||Accuracy and currency of content||Availability and integrity of systems|
|IT Governance refers to a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.||User satisfaction is measured by:|
Business requirements refers to the degree of compliance to stated or implied parameters and specifications.
|Determination of how costs of ownership are monitored, and the process for comparison of actuals to budgets.||Information is correct and up to date.||Information is usable on demand to support business functions, and the information is accurate and complete.|
An accessibility check is a test that is performed to determine the compliance of a web page against a checkpoint. Each checkpoint may comprise more than one check to test for compliance.
An application that is part of the content of a Web site that is dynamically produced by a server-side application technology (which is not to be confused with an application server). From a security perspective, each page that is dynamically generated is an application. Note that applications may also be nested. For instance, the collection of ASP pages that make up WebXM can be considered to be the application "WebXM".
A server that awaits various types of requests (depending on the type of application server) and provides the business logic to process those requests.
A content asset that either contains an authenticator (in the case of form-based authentication) or that was accessed by means of an authenticator.
In the case of form-based authentication, the authenticator is the application that validates a user's credentials. HTTP, NTLM, and certificate-based validation all use authenticators that are inherent to the web server.
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Boolean expressions are often encountered when doing searches on the web. In Boolean searching, you can use an AND operator between two words to find documents that contain both the words, or you can use an OR operator to find documents that contain either one of the words.
A Broken Links report includes the following error types:
A certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is a public key that is signed (using a digital signature) by a certificate authority (CA). Certificates also include some other ancillary attributes, such as the name, serial number, and expiration dates.
A CA is an authority in a network that issues and manages cryptographic credentials and public keys for message encryption. It is a part of a public key infrastructure (PKI).
A dashboard is a set of properties that defines how My Watchfire and My Watchfire Classic looks and behaves. In the case of My Watchfire, properties include which issues are presented, how issues are grouped and named, how scores are presented visually, and how its reports behave. In the case of My Watchfire Classic, properties include which issues are presented and how scores are calculated.
A digital signature is a signature derived from the content of a message that can be used to prove the integrity and origin of that message.
A file that contains content relevant to the goals of a Web site.
A domain is the part of the Uniform Resource Locator (URL) that locates an organization or entity on the Internet; for example, www.watchfire.com.
A name that identifies one or more IP addresses and consists of at least a top-level portion, such as .com, .gov, .edu, or .net, and a second-level portion, such as Watchfire or MicroSoft. A third, fourth, or more level portions may need to be added to it (for example, support.company.com).
A domain name service (DNS) resolves domain names to their associated IP address.
Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.
The process by which data is encrypted and decrypted. For example, data encryption security (DES) is an encryption method.
External domains are those domains that have a different URL (up to the first backslash) from the URL of the site being scanned. If www.watchfire.com is scanned, domains such as www.products.watchfire.com will be considered external domains in the reports. This also applies to third-party reports in that URLs that are considered third-party are those that are external to the scan.
Anything stored on a disk that is understood as a file by the operating system of the computer housing the disk.
A computer on a network. Each host can be located based on its IP address, or by a fully qualified domain name. If the host is referred to by its host name, that name must first be resolved to an IP address by a Domain Name Service before the host can actually be located.
The name of a host with respect to its Intranet. Relative to an extranet, a host is named using a fully qualified domain name.
A description of the content of an image, used by people who cannot view or process the image fully. If the image is also described in text accompanying the image, or is a simple icon adequately represented by the ALT text, a separate description may not be necessary.
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
An Internet Protocol (IP) address is a numeric identifier for a host, for example, 2188.8.131.52.
A domain that is included in the content scan and that appears in the Starting URLs list.
In cryptography, a key is a constant value that is applied using an algorithm to a string or block of unencrypted data to produce encrypted data, or to decrypt encrypted data. Although there are billions of keys in existence, a piece of data that was encrypted with one key can only be decrypted using that same key (or a related key).
A protocol governing how two parties exchange keys to use in securing a transaction. Once keys have been exchanged, data can be encrypted at the sender's end (using an agreed-upon encryption method) and decrypted at the receiver's end.
Key length is a measure of the size of the data that makes up a key, and hence determines how robust the key is. Longer keys, such as 128 bit, are generally considered to be harder to crack than shorter keys (48 bit).
An HTML element that allows a user agent to navigate from their current location to some URL. Links are URLs that can be clicked.
A way that a web server can manipulate information. Some methods are dangerous because they allow remote users to affect data on the web server.
The navigation trail, also known as "You are here", shows the path through the WebXM Control Center from where you started to where you are now. If there is not enough space to display the entire path, ellipses appear at the beginning of the path.
A numerical location on a host on which a server awaits requests. For instance, a host may receive requests on ports 80 and 443. Since the web server on that host awaits requests, or "listens " on port 80, and the application server on that host listens on port 443, requests made to those ports will go to their respective servers. Requests made to ports on which no server is listening will not be honoured.
A private key is an encryption key known only by a select group of clients. Private keys can be used in conjunction with a related public key (in which case the public and private keys are asymmetric) or by themselves (in which case they are symmetric) to effectively encrypt messages and digital signatures.
A public key is the part of a public-private key pair that is made available to anyone to validate data encrypted with the private key. Because public keys are always part of a key pair, they are by nature asymmetric.
A public key infrastructure (PKI) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.
When a Feedback survey is published to a Web site, HTML and .jsp pages are generated and saved to the Feedback Server. In addition, the survey's status is changed to active, meaning that it is available to Web site users.
Reliability of information relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities.
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet, that has been succeeded by Transport Layer Security (TLS). SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.
A server that handles SSL HTTP requests.
A program that resides on a host and waits for and fulfils requests from other hosts. Servers receive requests through one or more ports on a host.
A technology that is enabled for a web server, such as Active Server Pages (ASP), Java Server Pages (JSP) or PHP. Server-side application technologies produce dynamic web content, which is considered to be an application.
A set of formatting or style commands that are kept separate from the actual content of a web page. This makes formatting easier as it can be defined globally, rather than each time a particular element occurs.
The type of key used in a form of encryption where the same key used to encrypt data is needed to decrypt it.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet and is the successor to the Secure Sockets Layer (SSL). When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message.
A URL, or Unique Resource Locator, is a way of indicating the location of an item in cyberspace.
A user type, and there are four of them, describes a particular user's abilities within the WebXM Control Center. However, their capabilities can further be extended by the role or roles they assume under webspaces. The four user types are: Standard User, System Administrator, No Access, and Webspace Creator.
A server that awaits Hypertext Transfer Protocol (HTTP) requests, and serves up HTTP in response.
Technology assets, such as a content management system, that are used to build and manage the content assets of a Web site.
1 Control Objectives for Information and Related Technology: Information Systems Audit and Control Association, see details
2 Control Objectives for Information and Related Technology: Referenced by Treasury Board Secretariat for the conduct of assurance engagements related to Information Technology.
3 IT Infrastructure Library: ITIL has become the worldwide de facto standard in Service Management.
4 Due to provisions of the Privacy Act, the names of participants have been removed from the final report.