Audit of Data Centre Management

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of DCM. Findings are based on the evidence and analysis from both the initial risk analysis and the conduct of the audit.

3.2 Governance

However, improvement could be made in the following area:

Finding 1.0: Functional Authority at an Operational Level

The 2009 Treasury Board Directive on Management of Information Technology states, in part, that "The departmental CIO or equivalent is responsible for…

• Developing and maintaining efficient and effective departmental IT management practices and processes, as informed by ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and related Technology), with priority on IT asset management, the IT service catalogue and IT service costing and pricing, as appropriate…
• Aligning departmental IT management practices, processes and technology architecture with federal government strategy, directions, standards and guidelines as they become available and as they evolve under the guidance of the CIOC (Chief Information Officer of Canada) …
• Reviewing and assessing IT services periodically to identify opportunities for enhancing efficiency, effectiveness and innovation as determined by governance and in collaboration with service providers, service users and other stakeholders…"

Although the CIO exercises full responsibility and authority over the operation and maintenance of the ICDC, the CIO does not exercise functional authority over all of the Department's server and computer rooms (e.g. those of Communications Research Centre Canada and Spectrum, Information Technologies and Telecommunications). Functional authority in this context refers to the authority to direct how the Department's server and computer rooms operate in terms of incident management, problem management, change management, release management, and access and environmental controls through the development, communication and monitoring of policies, directives, procedures and standards.

The CIO is responsible for the Department's core IT infrastructure and must also ensure that those connecting to the infrastructure will not create any risks or security issues.

There has been and continues to be an evolution towards centralized IT management within Industry Canada. The Department has a stated policy following from the BearingPoint study (August 2004) that all infrastructure procurement and IT contracting must be approved by the CIO; however, the CIO has confirmed that this policy is not consistently applied by business units.

The Department's IT Governance framework effectively addresses IT planning and investment decision-making and project management through the IT Senior Management Committee and the Project Oversight Committee.

The IT Standards and Architecture Committee, chaired by the CIO, has the mandate to define, approve, implement, evolve, promote and enforce Departmental IT standards and architecture at Industry Canada. The CIO has developed practices and processes for DCM. However, the CIO has not fully ensured Departmental IT management practices and processes are in place in all of the Department's server and computer rooms nor has the CIO reviewed and assessed the Department's computer and server rooms periodically to identify opportunities for enhancing efficiency, effectiveness and innovation.

In addition to being non-compliant with the Treasury Board Directive on Management of Information Technology, the absence of the exercise of functional authority and direction with respect to the operation and maintenance of the Department's computing facilities increases the risk of inconsistent and inefficient business processes and practices, and misalignment with Departmental and government-wide directions.

Recommendation 1.0:

It is recommended that the CIO exercise functional authority with respect to the management of the Department's IT infrastructure, computer rooms and server rooms in operation outside of the ICDC.