Audit of IT security: Threat and vulnerability management

Final report summary

Global Affairs Canada
Office of the Chief Audit Executive


In accordance with Global Affairs Canada‘s approved 2018-19 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted an Audit of Information Technology (IT) Security : Threat and Vulnerability Management. 

Properly planned and implemented threat and vulnerability management (TVM) programs represent a key element in an organization’s Information Technology (IT) security program to detect cyber threats and to provide an approach to risk and vulnerability mitigation that is proactive and business-aligned based on risk, not just reactive and technology-focussed.  These TVM programs are intended to provide a way to assess the potential business impact and likelihood of threats and risks to an organization’s information infrastructure before cyber security incidents occur.  Effective TVM programs help organizations meet and exceed those critical requirements.

Cyber attacks and the associated risks are forcing most organizations to focus more attention on information security.  Several factors have driven the increased risk and subsequent attention paid to IT security issues, including the evolving threat landscape and rapid changes in technology.  Federal government departments and agencies are subject to millions of cyber-intrusion attempts every day.

The Department’s IT system supports Canada’s international presence at 178 points of service in over 100 countries.  The Department faces constant cyber security threats and risks due to the nature of its mandate.  IT security at Global Affairs Canada is about mitigating vulnerabilities and reinforcing the safety of its IT systems and digital information through properly planned and implemented Threat and Vulnerability Management (TVM) programs.

IT Security threat and vulnerability programs are legislated by a number of policy and guidelines as follow:

Audit objective

The objective of the audit was to assess the existence, design and effectiveness of information security controls implemented by the Department to detect, evaluate and remediate IT security-related threats and vulnerabilities. 

Audit scope

The audit assessed the processes and controls in place over IT threat and vulnerability management during the period of April 1, 2018 to February 28, 2019.

For the purpose of this audit, IT threat and vulnerability management processes included:

The scope of this audit did not include organizations outside of GAC but did consider how GAC manages the information received from external organizations to inform their IT security program.

The audit team examined documents, conducted interviews with departmental officials, and assessed vulnerability of departmental IT system. In addition, the audit team conducted technical vulnerability assessment of three GAC applications.

Observed strengths

The following strengths were identified during the audit:


Based on a combination of the evidence gathered through the examination of documentation, analysis, interviews and process walk-throughs, each audit criterion was assessed. Observations were noted in the following areas during the audit:


The audit team found that the Department has implemented some information security controls to detect, evaluate and remediate IT security-related threats and vulnerabilities.  However, areas for improvement regarding the existence, design and effectiveness of controls were noted. 

More specifically, the audit team found that the Department had processes in place to collect cyber threat intelligence from both internal and external sources, but would benefit from  an enterprise-wide threat and vulnerability management program to coordinate activities across the Department. 

Statement of conformance

In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.


Global Affairs Canada
Information Technology
Management of Information Technology Security
Treasury Board
Threat and vulnerability management



1. To provide assurance that GAC has implemented an effective management control framework, which includes accountabilities, policy and monitoring to mitigate IT threats and vulnerabilities

1.1  Roles and responsibilities related to TVM between internal and external partners, including between HQ and missions, and clearly defined and understood

1.2  There is an effective process to manage and prioritize the IT assets in scope for TVM at GAC

1.3  The TVM Program and related policy framework is adequate to ensure required IT security controls are consistently applied throughout the organization.

1.4  A performance monitoring process is in place to evaluate and report on TVM performance and the evolution of IT security vulnerabilities.

2. To provide assurance that GAC has implemented effective operational and technical controls throughout the department to mitigate risks related to IT threats and vulnerabilities.

2.1  There are effective controls and processes in place to detect, evaluate and prioritize IT security related vulnerabilities

2.2  There is an effective process to define IT security requirements in missions, aligned with defined threat and vulnerability levels

2.3  There is an effective process to provide IT security awareness and training on IT security threats and vulnerabilities tailored to various user groups

2.4  There are effective processes and controls in place to ensure identified vulnerabilities are remediated in a timely manner based on the severity of the vulnerability and the underlying threat, including patch management and system hardening;

2.5  There is a process in place to ensue IT security vulnerabilities are considered in GAC’s SDLC.


Date Modified: