Census Information Technology Security Verification Task Force Final Report April

2006 Census Information Technology Security Verification Task Force Final Report April, 2006 April 25, 2006 Dr. Ivan P. Fellegi Chief Statistician of Canada Statistics Canada Ottawa, Ontario K1A 0T6 Dear Dr. Fellegi: It is with pleasure that we submit to you the report of the 2006 Census Information Technology Security Verification Task Force. As you know, our mandate was to examine whether there is any cause for concern regarding the confidentiality of census returns and the protection of data electronically stored, processed or transmitted for the 2006 Census using contractor developed systems. My colleagues in this oversight effort, Mr. Jean-Pierre Soublière and Mr. Simon Gauthier, our technical advisor, Mr. Robert Reimer, and I have between us strong auditing, systems and information technology (IT) security expertise. Over the past six months, we have applied our knowledge and skills to the task of understanding the Census process; verifying whether security audits of the contractor developed aspects of the IT systems for the 2006 Census were sufficiently rigorous; and assessing whether the responses of your staff to the recommendations made by the IT security auditors have resulted in a strong security posture for the 2006 Census information systems. We would like to take this opportunity to emphasize that throughout our review, the professionalism of the Statistics Canada personnel with whom we interacted was excellent. They were highly cooperative, always willing to share, remarkably nondefensive in accepting suggestions and critiques, and above all, highly dedicated to leaving no stone unturned in safeguarding the confidentiality of Census information. They clearly understood the importance of proving to us, and through us, to Canadians, that all reasonable measures have been taken to protect Census information from unauthorized access through means potentially created by contractors, and that the Census information systems can be trusted and are secure. Denis Desautels Chair of the Task Force 2 Executive Summary The 2006 Census Information Technology (IT) Security Verification Task Force was formed to answer the question: “Can Canadians trust that the information to be gathered during the 2006 Census will be secure, given that Statistics Canada will use contractor developed systems for the Census?” Chaired by Mr. Denis Desautels, former Auditor General of Canada, Task Force members also included Mr. Jean-Pierre Soublière, former President of Systemhouse Canada and International; Mr. Simon Gauthier, Senior Manager, IT and General Services, Inter-American Development Bank and former Deputy Chief Information Officer for the Government of Canada, and special advisor Mr. Robert Reimer, Advisory Services Partner of PricewaterhouseCoopers LLP. Each member brings extensive expertise in the relevant areas of auditing, information systems and IT security. The members of the Task Force undertook some basic research to understand how the Census works and how technology systems supplied by outside contractors are to be used. This involved visiting the Data Processing Centre, reviewing documentation and conducting extensive interviews of Statistics Canada’s Census systems personnel. We also interviewed representatives from the three accredited IT security companies that were each tasked with conducting an independent security audit on one of the three key components of the Census technology infrastructure: the Census Internet System; Census Data Processing Centre, and Census Help Line. The IT security companies all possess recognized security auditing expertise and followed a rigorous auditing process, including conducting threat and risk assessments and vulnerability assessments. They looked at areas including system security configuration and testing, security architecture, monitoring and auditing, source code, vulnerability and penetration testing, physical security, and documentation. The companies formulated their observations and recommendations in two phases, making recommendations for improvements in several areas, and then verifying the improvements that were made. At each phase, the Task Force was presented with their findings and had ample opportunity to question company representatives directly on their conclusions. Recommendations for improvements were implemented rapidly, and the adequacy of these responses by Statistics Canada was confirmed by the three IT security companies. Throughout our mandate, Statistics Canada personnel were very responsive to our requests, transparent in sharing information and discussing issues with us, and accepted recommendations willingly, exhibiting a strong commitment to making the Census infrastructure as secure as possible. We conclude that the data to be gathered during the 2006 Census using the contractor supplied systems will be secure. Based on the work performed and to the best of our knowledge, it would be practically impossible for the contractors involved in the Census project to intentionally or otherwise access Census data. In addition, we can report that the overall security posture for the Census applications and the physical facilities where Census data will be collected and processed has been further strengthened as a result of the three security audits. We did not cover the operational readiness of the systems, service quality and functionality, or the overall security of the Census. We can state that we have full trust in the 2006 Census electronic infrastructure, and have no reservations about completing the Census online. 3 Table of Contents Executive Summary ................................................................................................................ 3 1.0 2.0 3.0 3.1 3.2 4.0 4.1 5.0 6.0 Introduction.................................................................................................................... 5 Purpose of Task Force ................................................................................................ 6 Context for the Census Systems Contract Award ........................................... 8 Protection and safeguards in the automated 2006 Census system..... 9 Basic configuration of the automated 2006 Census system ................. 10 The Task Force Review Process............................................................................ 11 Methodology used for IT security audits of key components ............... 11 Findings.......................................................................................................................... 13 Conclusion..................................................................................................................... 15 Annex A: Biographies of Task Force Members ........................................................... 16 Annex B: 2006 Census Milestones .................................................................................. 22 Annex C: Statistics Canada’s Overview of the 2006 Census ................................ 24 4 1.0 Introduction The 2006 Census Information Technology (IT) Security Verification Task Force was formed in August, 2005 at the request of the Chief Statistician of Canada, Dr. Ivan Fellegi. Our mandate was to ascertain whether there is any cause for concern regarding the confidentiality of Census returns and the protection of data electronically stored, processed or transmitted for the 2006 Census as a result of using contractor developed systems. Task Force members are Mr. Denis Desautels, former Auditor General of Canada; Mr. Jean-Pierre Soublière, former President of Systemhouse Canada and International; and Mr. Simon Gauthier, Senior Manager, IT and General Services, Inter-American Development Bank and former Deputy Chief Information Officer for the Government of Canada. The members were selected because each brings extensive expertise in the relevant areas of auditing, information systems and IT security. In addition, to ensure that we were thorough, we engaged the services of a senior recognized information systems security auditor, Mr. Robert Reimer of PricewaterhouseCoopers, to advise us in our review. (Summary biographies of all Task Force personnel are appended in Annex A of this report.) We recognize the importance to Canada and Canadians that the Census be “above reproach” regarding the protection of Census data. Because Census information is so critical to good governance, sound policy making and effective and fair programme and service delivery, any threat, perceived or real, to the confidentiality guaranteed respondents is a problem. Left unaddressed, warranted or not, a potential threat could undermine the integrity of the most important set of data upon which sound public policy decisions in Canada rely, and indeed, that decisions in the private and voluntary/not-for-profit sectors rely on as well. In short, we fully appreciated the importance of our task. To the best of our ability, we were vigilant in carrying it out. This report is a summary of our review. In it we provide the background and context for our work; explain the process employed in the conduct of IT security audits of the three main system components; the findings and impacts of these audits, and our conclusions. 5 2.0 Purpose of Task Force Every five years, a huge amount of effort goes into planning and executing the Census in Canada. (See Annex B for a list of the major milestones in the Census process prepared by Statistics Canada.) This massive accounting of our population, conducted at considerable public expense, involves, over the course of only a few days, the distribution, completion and return of millions of Census forms. The data collected plays an extraordinarily important role in Canada’s progress, fueling informed decisions in all sectors of society. With an enormous volume of information to collect and to process, and only one chance to get it right, this major exercise must have reliable, robust and scalable IT systems – in short, the best systems available at a reasonable price. Furthermore, to encourage full participation in the Census and make it as easy as possible for Canadians to provide information and ensure the data collected is as error-free, authoritative and meaningful as possible, there must be public confidence and trust in the Census, and the people and the systems that make it work. That is why the controversy surrounding the award of a contract for the provision of systems hardware and software, as well as printing and some support services for the 2006 Census, needed to be addressed. The original systems contract was awarded to Lockheed Martin Canada with subcontractors IBM Canada and Transcontinental Printing Canada, in February, 2003 by Public Works and Government Services Canada (PWGSC) through an open, transparent, and stringent competitive bidding process. The contract, as originally awarded, included: 1. 2. 3. 4. 5. 6. 7. 8. Systems development and hardware for the scanning of census questionnaires, A secure Internet application, Computer assisted telephone interviewing software, The printing of questionnaires, Acquiring the space for centralized data processing operations, Equipping and fitting up the site, Hiring of human resources to complete data processing operations, and Management of data processing operations. Following the award, some Canadians, including Members of Parliament, groups dedicated to protecting Canadian sovereignty, and editorialists, pointed to the USA Patriot Act1 and argued that there was a risk that American officials might use it to compel Census systems contractors, two of which are subsidiaries of U.S.-based firms, to provide them with confidential information about Canadians collected through the Census. Even though the contractors are subject to Canadian federal laws, specifically the Statistics Act, which prohibits any court or law enforcement agency anywhere from obtaining information collected through the Census, to alleviate confidentiality and privacy concerns Statistics Canada opted in 2004 to “de-scope” the contract. These modifications removed items #5 to #8 from the contract with Lockheed Martin Canada and its subcontractors, The Act and the Foreign Intelligence Surveillance Act (FISA), provide for very specific measures that expand the authority of the Federal Bureau of Investigation (FBI) to obtain information related to investigations of terrorism or clandestine intelligence activities. Specifically, these provisions permit the FBI to require U.S.-based entities to disclose information under their control or for which they can obtain access. This would include information held under a contract or arrangement with a U.S.-based corporation or a Canadian or foreign subsidiary of a U.S.-based corporation. Given the secretive nature of the process, entities that are ordered to produce information under the USA PATRIOT Act are prohibited from disclosing the fact that information was provided to the FBI. 1 6 restricting the contract to the provision of systems hardware and software, services associated with these areas, and printing (i.e., items #1 to #4). Privacy advocates, including the Privacy Commissioner of Canada, viewed this decision favourably, concluding that it had removed any risk of the USA Patriot Act ever being used to access confidential Census information. Nevertheless, despite strong assurances from Canada’s Chief Statistician, Dr. Ivan Fellegi, that the firms were now only contracted to build the systems, not to run any part of the Census, and so could not come into possession of Canadians’ confidential census data, some Canadians still voiced concerns. For example, there were fears that the hardware and software the contractors were supplying could contain a “back door” such as a computer worm or virus that might enable U.S. authorities to secretly access Census information about Canadians. Consequently Statistics Canada took the decision to have independent security verifications – three separate, independent security audits – conducted of these systems prior to the 2006 Census. For Statistics Canada, on the eve of its largest ever Census, any risk that Canadians perceive about the confidentiality of their census returns is an issue. Consequently, the purpose of our Task Force was to probe on Canadians’ behalf to provide a second layer of independent comfort by validating the approach taken by the IT security companies; questioning these reviewers about their findings and recommendations, and the adequacy of Statistics Canada’s responses; and, providing our conclusion to the Chief Statistician about the security posture of the 2006 Census technology systems supplied by outside contractors. 7 3.0 Context for the Census Systems Contract Award According to Statistics Canada senior management, this year will see a fundamental change in the business model for the Census. For more than three decades, the organization has relied on a business model based on the use of Census Representatives. These individuals were assigned a geographical area within which they “enumerate” Census respondents (i.e., residents of Canada). They conducted house to house visits, delivering questionnaires and listing dwellings visited in a “Visitation Record” which was used to track the return of questionnaires by mail. They then checked the returned questionnaires, following up with respondents if necessary to successfully complete them, before forwarding them to a Data Processing Centre. Since 1981, the data capture function has been contracted out to the Canada Revenue Agency (CRA), which at the time of the year the Census is conducted, occurring just after tax season, has historically had idle equipment and available personnel for manual data entry (i.e., surplus “keying capacity”). For most of the past three decades, this “manual” model has produced excellent results. However, times have changed. Statistics Canada no longer has the same access to keying capacity at the level it needs through CRA because of the significant expansion in electronic tax filing in recent years. CRA no longer needs to maintain a large number of employees for this manual work, which Statistics Canada would need to turn around Census data in a reasonable amount of time. It is also becoming increasingly difficult and costly to recruit and train the large, temporary and decentralized workforce of 45,000 people that the manual business model requires. There are also changing expectations amongst information suppliers and users. Canadians want more privacy, and are increasingly uncomfortable with local Census Representatives seeing their personal data. Moreover, in our steadily more time sensitive economy and society, the stakeholders who use the Census data want it sooner. Finally, and perhaps most significantly, an increasing proportion of Canadians want the convenience of doing their business with government online, including completing their census forms. In 2006, when some 12.6 million taxpayers are expected to file their federal tax returns electronically, failing to offer this option for the Census would risk irritating a significant number of Canadians. (For more detailed information prepared by Statistics Canada on its Census 2006 methodology, please see Annex C.) At the same time, the technologies that would support an automated business model for the Census have matured to the point where their demonstrated reliability, coupled with their obvious efficiency advantages, supersedes any residual risks associated with using them. Proven technology like optical scanning to “read” paper-based records and convert them to digital formats, and encryption to protect data entered online, can now be safely leveraged in an automated business model. Such a model would provide significant convenience benefits and additional privacy assurance to census respondents, along with timelier and more accurate data collection results. Indeed, rather than elevating the risk of security breaches, advances in security solutions for “real time” electronic data collection and processing mean that state-of-the-art systems based on these technologies have a superior security posture than systems that rely on paper forms (which, it should be noted, also increase waste). In paper-based systems, the collection and shipping of large quantities of physical records from multiple locations always involves a risk that some records will go missing or could be purloined, and manual data entry inevitably increases security risk because more people are handling data directly (along with error rates because of the increased likelihood of simple human error). 8 These capabilities and benefits, alongside reduced risks, will be harnessed by the new automated business model, which will be fully employed for the first time for the 2006 Census. This model shifts from a near total reliance on Census Representatives and manual data entry, to a direct mail-out to approximately 70% of the dwellings in Canada and respondent data provided directly to the Data Processing Centre. Once respondents receive their Census form in the mail, they will have three options: 1) Filling it out in hard copy and mailing it back to the Data Processing Centre, where the form will be “read” by an optical scanner; 2) Calling the Census Help Line and receiving assistance to complete the return, which is particularly important for those respondents whose first language is neither French nor English and for persons with disabilities; or, 3) Going online and submitting their return electronically. Post-census day, follow-up to ensure completed questionnaires are collected and processed for each dwelling will include contacting respondents via telephone, and in-person if necessary, to fix any problems with returns, regardless of how they were filed. The automated business model will allow this follow-up activity to be done more efficiently and much faster, saving at least two months time. The contract awarded to Lockheed Martin Canada and its subcontractors IBM Canada and Transcontinental Printing Canada, was for building the systems required for the new automated business model and for printing Census forms. The work involved selecting, integrating and testing the technologies and services that the automated business model required, and ensuring that they worked and interfaced smoothly. The security of the final system developed by the contractors is the subject of the 2006 Census IT Security Verification Task Force review. 3.1 Protection and safeguards in the automated 2006 Census system As explained to the Task Force, a number of fundamental design principles for security guided the overall design of the 2006 Census information systems. These principles have a direct bearing on the security profile of the 2006 Census applications including the physical facilities where Census data is collected and processed. They are specifically intended to protect against unauthorized outside access (i.e., a security breach). They are: Containment (Compartmentalization), which separates data processing into zones or compartments, so that in the event of a problem such as a virus or worm, the impact can be contained without necessarily shutting down information processing entirely. This is analogous to water-tight compartments in ships or submarines. Minimum Exposure, which involves controlling information flow between compartments with firewalls, each of which is configured for the minimum possible set of networking protocols. The information itself is encrypted from the point of entry through transmission (using dedicated telecommunications services) to the Data Processing Centre and then in the database. It is only ever decrypted for very brief periods for the purposes of validation. Multiple Layers, which is one of the key benefits of using commercial off-the-shelf software as building blocks in an information system. The final system contains layers – patches between and configurations of these building blocks – which makes it highly unique. For it to be penetrated or compromised by an unauthorized user to gain access to census information, multiple vulnerabilities in multiple layers, each built with software and hardware from multiple 9 vendors, would all have to be exploited simultaneously, which would be extraordinarily difficult, if not impossible to do. Separation of Duties, which means that authorized personnel have access or administrative control over only a part of the system. Changes and other administrative activities by these employees are all logged, and the logs are reviewed by employees other than those who performed the work. Unauthorized activity would be easily discovered. 3.2 Basic configuration of the automated 2006 Census system There are three main components in the automated 2006 Census System: 1) An Internet application that allows Canadians to file their Census returns online, integrated with processing and collection operations, that uses Secure Channel and SEAL (Session Encryption with Automated Login) as an additional security measure; 2) The Data Processing Centre (in Gatineau, Québec) where data in all returns, regardless of how they are filed (online, over the telephone or via the mail on hard copy) is captured and entered into the Census database; and 3) The Census Help Line sites in Moncton, Edmonton and Toronto, through which computerassisted telephone follow-up is conducted to fix incomplete returns filed on paper after they have been rejected by a set of automated algorithms which are part of the optical scanning process. (Returns filed by respondents electronically are not “accepted” by the system unless completed correctly.) 10 4.0 The Task Force Review Process The members of the Task Force undertook some basic research to understand how the Census works as well as how technology systems supplied by the outside contractors are to be used. This involved visiting the Data Processing Centre, reviewing documentation and conducting interviews with Statistics Canada’s Census systems personnel. However, the majority of our work focused on reviewing the findings of three accredited IT security companies, each of which was tasked with conducting an independent security audit on one of the three key components of the Census technology infrastructure, as follows: Cinnabar Networks (now part of Bell Canada) for the Census Internet System; TRM Technologies for the Census Help Line sites; and, CGI Information Systems and Management Consultants for the Census Data Processing Centre. The companies were contracted by Statistics Canada using the Government of Canada’s National Master Supply Arrangement for Information Technology Infrastructure Security and Protection Services (ITISPS). All security specialists proposed by the firms for the auditing work were citizens of Canada and their expertise was validated by Canada’s Communications Security Establishment through the ITISPS programme. These individuals also possessed valid security clearance at the level of Secret, granted by PWGSC’s Canadian and International Industry Security Directorate. None had been involved in any way with the design or implementation of the 2006 Census system, or any of the work undertaken earlier for Statistics Canada to build and/or test its new system. All three firms followed the RCMP Guide to Threat and Risk Assessment for Information Technology, and the Communications Security Establishment (CSE) Risk Management Guidelines. They also applied the new Government of Canada Operational Standard for the Management of Information Technology Security (MITS). MITS contains 144 mandatory requirements to which federal departments and agencies are expected to be compliant by December 2006 for the security of information and information technology (IT) assets under their control. 4.1 Methodology used for IT security audits of key components Each firm conducted their security audit in two phases. In Phase I, they conducted Threat and Risk Assessments (TRAs) producing recommendations for modifications and enhancements to fix any vulnerabilities they uncovered and/or to bring the administration of systems and facilities up to the level required by MITS. In this Phase, they were tasked with answering, at a minimum, the following three questions pertaining to the component of the Census technology infrastructure they were auditing: 1. Are the security requirements and security architecture valid and complete for the component as developed by external contractors? 2. Are the physical, hardware, software and communications security safeguards specified in the design and implementation plans of the contractor-developed systems adequate to ensure that census data will be processed by these secure systems in Statistics Canada’s facilities exclusively? 3. Are there any residual threats or risks that could be exploited or that could compromise the protection of Census data because the component has been developed by contractors? 11 At the end of Phase I, each of the IT security companies produced a TRA report that included specific recommendations to mitigate any residual risks and that assessed the degree to which risks were being appropriately managed by Statistics Canada. In Phase II, the IT security companies conducted an IT Security Readiness Assessment, which included assessing Statistics Canada’s response to their Phase I recommendations. To determine the level of readiness of IT security safeguards, they conducted: Physical inspections to ensure that the hardware, software and communications security safeguards had been implemented as per specifications for the contractor-developed systems; Inspections that the physical security and access controls safeguards were in place for the contractor-developed systems and for interfaces with other authorized systems; Vulnerability assessments, including where required, specific technical tests, to complement the TRA in Phase I. The intent was to test each contractor-developed system for particular potential weaknesses that could seriously compromise security; A review of the TRA delivered in Phase I, to update as required, and assess the level of readiness of the plans to mitigate or manage risks identified in Phase I; A verification of the adequacy of security education and training to ensure Statistics Canada personnel operating the contractor-developed systems are aware of their IT security related responsibilities prior to the start of the 2006 Census; and, A verification that the procedures and escalation processes are in place to promptly report IT security incidents and to deal with any security breaches with contractor-developed systems. Reports provided by all three IT security companies at the end of Phase II detailed the final results and conclusions from the vulnerability assessments, security tests and physical inspections, confirming that all security requirements were reviewed and satisfactorily addressed. 12 5.0 Findings No critical deficiencies were identified in Phase I by any of the IT security companies that were not already part of Statistics Canada’s project plans and updates. However, a number of specific recommendations were made aimed at further strengthening safeguards against potential risks associated with the contractors having developed the systems. For the Census Internet System (CIS), recommendations from the IT security company included a “source code review” on the final product to investigate the possibility of a “backdoor” having been inserted in the Census web application that could potentially be used to redirect confidential citizen data to an unauthorized destination. Several recommendations were made concerning what the development contractor should provide, including documentation related to their system security policy; detailed application, network and security architecture diagrams; recommended security procedures, and security training and knowledge transfer to Statistics Canada personnel. Other recommendations focused on strengthening system security configuration (e.g., device hardening to close unnecessary ports and remove non-essential hardware and software from desktops); installing a host intrusion detection system to detect and protect against unauthorized system and security configuration changes, and installing anti-virus software on all servers in the Census Information System. For the Census Help Line (CHL) system, all fax line connections were tested and confirmed to be properly configured. Internal testing uncovered vulnerabilities in several servers, and recommendations were made to improve “patch management” procedures. The TRA also found some technical vulnerabilities in the physical environment, and recommended tougher access controls inside the facilities (e.g., additional security guard posts and motion detectors for exit doors) and at workstations (e.g., to disable USB ports, as well as CD-ROM and floppy drives). Recommendations from the TRA for the Census Data Processing Centre (DPC) included performing vulnerability testing, employing multi-level access controls, providing a system audit capability and system specific security specifications, and enhancing incident detection capability. Statistics Canada acted on all the recommendations to improve safeguards against unauthorized access. In their Phase II reports, the IT security companies verified that key safeguards and interfaces had indeed been implemented; that security education and training was adequate; that procedures and escalation processes were in place to promptly report IT security incidents, and that physical security measures were satisfactory. They reported that Statistics Canada’s adoption of Phase I recommendations had reduced the overall residual security risk to an acceptable level – i.e., low. As part of the Phase II process, a series of penetration tests were also conducted, where IT security companies experienced in “hacking” techniques, tried to gain access to proxies of confidential census responses. None were successful, further confirming that adequate safeguards to protect against unauthorized access are in place. As to the security readiness of specific system components, testing conducted in Phase II of the CIS found a couple of areas that needed improvement, including strengthening firewall controls, stepping up the frequency of security system testing, and encrypting sensitive information across internal networks. Only two high priority recommendations were made, and concerned installing up-to-date security patches and password protocols. All recommendations were acted upon within days of being made. 13 At the beginning of April, a thorough review of the source code was performed, focusing on all points where data entered and exited the CIS. No weaknesses were found and the IT security company reported no reason for concern that a “backdoor” had been inserted into the system that could compromise the confidentiality of census information. Indeed, the reviewers were impressed with the “cleanliness” and high quality of the source code, which they stated was amongst the best they had ever seen. For the Census Help Line (CHL) system, all Phase I recommendations including the strengthening of physical security, were confirmed as having been implemented, and in the IT security company’s view, “excellent work has been completed to address deficiencies identified during both Phase I and Phase II TRA activities. Specific recommendations provided to CHL sites following a first round of site inspections have been implemented mitigating any serious risk. No additional recommendations resulted from follow-up site visits; and CHL Moncton, CHL Toronto, CHL Edmonton and CHL/FEFU Ottawa are considered to be adequately secured for their role in Census 2006. The residual risk is deemed to be low.” For the Census Data Processing Centre (DPC), the Phase II readiness assessment also included a physical security inspection, review of operational security procedures, as well as a technical vulnerability assessment. The physical security of the Centre was assessed as fully satisfactory. Recommendations concerning security policy, procedure and testing were verified as having been implemented and functioning as intended. This included confirming that workstations had no access to print capabilities (to prevent an operator from printing off confidential information) and CD drives and USB ports were disabled to prevent copying of confidential information to removable storage media. Concerning the technical vulnerability assessment, the IT security company found that “the overall technical security posture of the DPC is considered excellent. Security devices were well configured and functioning as expected. Network devices (switches) were well configured and all ports on switches are managed to prevent the deployment of unauthorized devices on the network.” The 2006 Census IT Security Verification Task Force had ample opportunity to question all three teams that conducted the security audits, and to question Statistics Canada personnel on the status of their actions to implement recommendations. At no time did any of the IT security companies’ reviewers suggest that Statistics Canada personnel were anything other than eager to know about, and to fix as rapidly as possible, any weaknesses uncovered. Several of the reviewers commented on the speed with which personnel acted. One remarked that in 30 years of experience, the awareness of and commitment to system security exhibited by Statistics Canada staff was the best he has ever seen. 14 6.0 Conclusion In the case of the Census, Canadians’ expectations for the protection of their personal data must be met. The public’s trust and confidence in the process, and the systems used by Statistics Canada, is essential to ensure participation and hence, the reliability and utility of Census information to its many users. Our conclusion is that the data to be gathered during the 2006 Census using the contractor supplied systems will be secure. Based on the work performed and to the best of our knowledge, it would be practically impossible for contractors involved in the Census project to (intentionally or otherwise) access Census data. Furthermore, the security posture for the Census applications and the physical facilities where data is collected and processed have been strengthened as a result of the three IT security audits. Members of the Task Force have full trust in the security that the 2006 Census electronic infrastructure will provide, and have no reservations about completing the Census online. On the matter that led to the formation of our Task Force, after conducting our review, we are confident in stating that, were the Canadian subsidiaries of the US firms that were contracted to build the system solution for the 2006 Census ever asked to supply information about individual Canadians to the US government under the terms of the USA Patriot Act, they would not be able to do so. In the history of Statistics Canada there has never been an incident involving the disclosure of confidential information due to contractor involvement. The Task Force found no reason to be concerned that, with the contract awarded to build the 2006 Census automated system, this will change. While not strictly part of our mandate, we were impressed by the ample evidence we saw that the overall security posture of the Census has benefited from the technological advances and automated processes to be employed in 2006. These changes certainly represent a significant step forward in addressing a number of key business pressures. However, they also bring with them capabilities that will reduce the risk of security breaches associated with a heavy reliance on paper records, and furthermore, will actually improve the level of protection for the personal information Canadians’ entrust to Statistics Canada when they complete their Census returns. 15 Annex A: Biographies of Task Force Members 16 L. Denis Desautels, OC, FCA L. Denis Desautels was Auditor General of Canada from April 1, 1991 until March 31, 2001. At the time of his appointment, Mr. Desautels was a senior partner in the Montreal office of Ernst & Young (formerly Clarkson Gordon). In addition to a distinguished career in the private sector, Mr. Desautels had extensive experience in public sector auditing and accounting at the federal, provincial and municipal levels. Mr. Desautels was born in St-Bruno, Québec in 1943. He attended schools in Montreal and earned a Bachelor of Commerce degree from McGill University in 1964. He joined the firm of Clarkson Gordon in Montreal and became a Chartered Accountant in 1966. In his 27 years with Ernst & Young, he served the firm in various capacities and in a number of offices, namely Montreal, Ottawa and Québec. He also carried out a number of significant assignments for the Office of the Auditor General of Canada and for a number of public sector organizations. At the time of his appointment as Auditor General, he was Ernst & Young’s Regional Director of Consulting Services for the Province of Québec and the National Capital Region. In recognition of his contribution to the auditing and accounting professions, he was awarded the designation “Fellow” by the Order of Chartered Accountants of Québec in 1986. He had been a member of the Public Sector Accounting and Auditing Committee of the Canadian Institute of Chartered Accountants (CICA) since its foundation in 1981, and Chairman of the Committee for 1984-85. He was awarded the designation of Fellow by the Institute of Chartered Accountants of Ontario in 1991. He was invested as Knight Commander of the Order of St. Gregory the Great in 1997 by the Archbishop of Ottawa and, more recently, he received honorary doctorates from the University of Ottawa, the University of Waterloo and Saint Paul University. He also has been appointed an Officer of the Order of Canada. As Auditor General of Canada, Mr. Desautels was responsible for conducting examinations of the operations of the Government of Canada and of its numerous Crown corporations and agencies, as well as those of Canada’s three territorial governments. The Auditor General’s reports to Parliament cover a wide range of issues dealing with accountability and the management of government programmes and the delivery of services to the public. He is presently a member of the Accounting Standards Oversight Council of the CICA, the National Awards in Governance Advisory Committee of the Conference Board of Canada and the Parliament Precinct Oversight Advisory Committee. He is also a member of the board of directors of CARE Canada, the International Development Research Centre, the Laurentian Bank of Canada, Groupe Jean Coutu (PJC) Inc., Bombardier Inc. and Alcan Inc. He is presently an Executive-in-residence at the School of Management of the University of Ottawa. 17 Jean-Pierre Soublière Mr. Soublière is the President of Anderson Soublière Inc., an executive focused consulting corporation. Founded in 1996, the Company has been an advisor to corporations such as the Merrill Lynch Investment Banking Group, Adobe, CGI, CivicLife.com, Dell Computer Corporation, NCS Pearson, SAP, Tempest Management, Open Text, SAS, ActiveSystems, and FreeBalance. The company also includes the Treasury Board Secretariat, the Public Serve Commission, Library and Archives Canada, the Ontario Government, the CBC, Statistics Canada as well as Human Resources Canada as part of its client list. Mr. Soublière was also the President and COO of Alis Technologies from January 1997 to January 1999. Previously, during his 19 years at SHL Systemhouse, he served as President, SHL Systemhouse Canada and International. Prior to joining SHL, Mr. Soublière worked for the Canadian Federal Government, Carleton University and Northern Telecom, and was a part-time instructor at the University of Québec-Hull. He is very active in the National Capital Region and in the high technology industry. He is a member of several Councils and Boards including United Way of Canada (past Chair), the University of Ottawa, the Harmony Foundation (Chair), Atomic Energy of Canada (Acting Chair), Provance Technologies Inc.(Chair), and the advisory board of Talent Map Inc. Mr. Soublière is also a past Board member of several organizations such as UniMedia Inc., Microstar Software Ltd., Simware Inc., Med-Eng Systems Inc., Positron Public Safety Systems Inc., E-Witness Inc, Nstein Technologies Inc., International DataCasting Corporation, the City of Gatineau’s Strategic Planning Committee, the Information Technology Association of Canada, the Canadian Advanced Technology Association, the Ottawa-Carleton Board of Trade, the Ottawa Health Research Institute, the University of Ottawa Hearth Institute, the Ottawa Hospital, and the Inter-American Development Bank’s Industry Advisory Council. He was the Chairman of the 1989 United-Way Campaign in Ottawa, and from 1998 to 1999, he chaired the task force that coordinated health care re-structuring in the region. In 1998, he chaired the Canadian Federal Government’s Ad Hoc Industry Advisory Committee on Electronic Commerce. He was also a member of the Canadian E-Business Opportunities Roundtable, and the GOL Advisory Committee to the President of the Treasury Board of the Government of Canada. He was the Moderator for the Government of Canada’s Innovation Summit for the Ottawa-Gatineau Region, and he served as an advisor to the Auditor General on Management Reporting. In addition, Mr. Soublière is leading a project to help optimize IT within the independent health care organizations in Eastern Ontario, including the 19 hospitals, home care, long-term chronic care, and primary care. He also is the independent ombudsman for the whistle blowing policy within the CBC, a member of the Services Canada Advisory Board, and one of three members of an independent panel providing oversight as to the security of information for the 2006 Census. In 1995, he was named Business Person of the Year by the Ottawa-Carleton Board of Trade. He was also awarded the 1996 Prix d’Excellence by the Regroupement des gens d’affaires, the 1997 Trudeau Medal by the University of Ottawa, the President’s Award as a volunteer for United Way in Ottawa in 1996, the Queen’s Golden Jubilee Medal (2002), and the Order of Ottawa for Economic Development (2004). 18 Mr. Soublière graduated from the University of Ottawa with a Bachelor of Commerce Degree in 1967, and received a Masters of Business Administration Degree from the University of British Columbia in 1971. 19 Simon Gauthier, PhD, P. Eng Simon Gauthier is the Senior Manager for Information Technology and General Services at the Inter American Development Bank (IDB) in Washington, DC. In this capacity, he oversees the functions of the Chief Information Officer of the IDB as well as the delivery of administrative services essential to the Bank’s operations, both at the Bank’s Headquarters as well in 28 Country Offices located in Mexico, Central and South America and the Caribbean. After graduation from the Royal Military College in Kingston, Ontario, Simon held numerous assignments within the Canadian Armed Forces over a period of 14 years. He then moved to the Communications Security Establishment where, over a period of 18 years, he served in a variety of management positions with increasing scope and responsibilities, culminating in the position of Deputy Chief for Information Technology Security. Mr Gauthier joined the Chief Information Officer Branch at the Treasury Board Secretariat in May 2003, and assumed the functions of Deputy Chief Information Officer (DCIO) for the Government of Canada. In this capacity, he oversaw, among other initiatives, the development of the Management of Information Technology Security Standard (MITSS) for the Federal Government. 20 ΠωΧ Robert J. Reimer CA•CISA CA•IT CISM Mr. Reimer has been with PricewaterhouseCoopers for over 21 years. Currently, as an Advisory Services Partner, he leads the Manitoba / Saskatchewan Risk & Regulatory and Performance Improvement service areas. He is also the National Partner for the Canadian Information Security practice. He is a Chartered Accountant, a CICA and ISACA Certified Information Systems Auditor, a CICA Information Technology professional, and an ISACA Certified Information Security Manager. In 1989, Mr. Reimer was the sole Canadian selected of 26 Price Waterhouse professionals globally to receive six months intensive training in information technology, information systems risk management and IT audit at a specialized global training facility in the US. On his return to Canada, he was instrumental in growing the Canadian information risk management practice over the past 17 years. Mr. Reimer advises large public, private and public sector entities in the areas of assessment, design and implementation of information systems and technology risk management and control programmes, business process control and improvement, independent assurance and advisory services on outsourced information systems, CEO / CFO controls certification, business continuity planning, IT effectiveness, internal audit and privacy. Mr. Reimer has provided risk management, security, controls and audit advisory services to both the federal and provincial levels of government and related organizations. He has been performing and leading outsourced controls audits of large, complex organizations since 1991. He has been an advisor on privacy considerations. Mr. Reimer is currently active on the CICA Information Technology Advisory Committee and the Technology Committee of the United Way of Winnipeg. Previously, he was appointed to the Privacy task force for the United Way. Mr. Reimer was an active core member on the joint CICA / AICPA Task Force in the development of new assurance services for the CA / CPA profession, including the creation of principles and criteria for Systems Reliability, known as SysTrust. Mr. Reimer was an active member on the Board of the Information Systems Audit & Controls Association, and was a contributing writer of the international standards of CoBiT – IT Management Controls and Guidelines Version 3. He also assisted the CICA with the development of the body of knowledge for certification as a CA technology professional in the IT Alliance. Mr. Reimer is a frequent speaker on the above noted topics in Canada and the U.S. 21 Annex B: 2006 Census Milestones 1. Strategic Planning Conference 2. Questionnaire Formats Test 3. Issue Census Outsourcing Contract RFP 4. Award Outsourcing Project Phase I Contract 5. Award Outsourcing Project Phase II Contract 6. Complete Design of Outsourced Activities 7. Initialize Dwelling Frame for 2004 8. Start 2004 Dress Rehearsal Block Canvass 9. Finalize 2004 Dress Rehearsal Questionnaire 10. Start Printing/Inserting 2004 Questionnaire Package 11. 2004 Dress Rehearsal Late Block Canvass 12. 2004 Dress Rehearsal Integration System Test 13. Start 2004 Questionnaire Delivery 14. 2004 Dress Rehearsal Census Day 15. Complete 2004 STC Retrieval Database 16. Submit Content for Cabinet Approval 17. Award Outsourcing Project Phase III Contract 18. Cabinet Approval for Questionnaire Content 19. Questionnaire Content Gazetted 20. Establishment of 2006 Census products/services line 21. Start Printing/Inserting 2006 Questionnaire Package 22. Initialize Dwelling Frame for 2006 Census 23. Start 2006 Census Block Canvass 24. Conduct 2006 Census Integration System Test 25. Start Early Enumeration 26. 2006 Census Late Block Canvass 27. Start 2006 Questionnaire Delivery 28. 2006 Census Day 29. Start Failed Edit Follow-up (FEFU) NOVEMBER 1999 APRIL 2002 SEPTEMBER 2002 FEBRUARY 2003 JUNE 2003 JULY 2003 SEPTEMBER 2003 SEPTEMBER 2003 OCTOBER 2003 NOVEMBER 2003 JANUARY 2004 MARCH 2004 APRIL 27, 2004 MAY 11, 2004 SEPTEMBER 2004 NOVEMBER 2004 SEPTEMBER 2004 FEBRUARY 2005 MAY 2005 MAY 2005 JULY 2005 AUGUST 2005 SEPTEMBER 2005 FEBRUARY 2006 FEBRUARY 2006 FEB/MARCH 2006 MAY 2, 2006 MAY 16, 2006 MAY 17, 2006 22 30. Start Non-Response Follow-up (NRFU) 31. Complete Collection Activities 32. Release Population & Dwelling Counts 33. Complete 2006 STC Retrieval Database 34. Major Releases of 2006 Census data 35. Final Estimate of Net Under Coverage MAY 26, 2006 JULY 31, 2006 FEBRUARY 2007 MARCH 2007 APR 2007/JAN 2008 SEPTEMBER 2008 23 Annex C: Statistics Canada’s Overview of the 2006 Census As previously mentioned, the methodology for the 2006 Census of Population has moved away from a decentralized, manual approach of data collection and capture, to a more centralized and automated approach. A large part of this has been achieved by the introduction of new data collection methods, namely the mailing out of census forms, and the option of returning forms online. Another part of this has been realized by the adoption of new, more efficient data processing technology. The shift in collection and processing has occurred in response to internal and external pressures, the primary forces of which are outlined below. The Government On-Line initiative requires Statistics Canada to offer its respondents electronic options for the return of their data. As part of the 2006 collection methodology, respondents have the option to respond using a secure Internet channel. With every census there is a demand among users for earlier release of data. The use of automated technologies will facilitate the timely release of the census data. In previous years, Canada Customs and Revenue Agency (CCRA) performed the manual keying operations required for data capture. This agency (now Canada Revenue Agency) is moving away from these manual operations, presenting Statistics Canada with an opportunity to employ new cost-effective automated data capture methods such as Optical Mark Recognition and Intelligent Character Recognition. The Canadian public has expressed concerns over personal privacy, security and confidentiality which have grown in recent years. In the past, a decentralized methodology of questionnaire delivery and return, whereby local residents were recruited as enumerators, contributed to this concern. A centralized processing methodology is a positive step towards addressing this issue. The Census requires a large, costly temporary work-force for the data collection activities. Using a mail-out methodology allows the size of this work-force to be reduced substantially. 2006 Methodology As previously mentioned, for the 2006 Census, data collection and processing are based on a flow processing scheme, taking advantage of new data collection methods and data processing technologies. Within this flow processing scheme, the vast majority of questionnaires progress through the various field and data capture operations independently. Not all stages of the process apply to all the questionnaires; instead, the flow is based on the specific conditions relating to a particular questionnaire. It means that unlike previous censuses a questionnaire can be processed immediately, rather than “waiting” for other questionnaires in the same Enumeration Area (EA) to be completed before progressing. As an example, consider a questionnaire that is mailed out and mailed back. As this is a paper questionnaire, it requires data capture activities. Furthermore, as it is self-enumerated, some responses may be incomplete, and thus it is subject to failed-edit follow-up (FEFU). In contrast, another questionnaire may be left at a dwelling where the respondents use the Census Help Line to complete their questionnaire. As the data are transmitted electronically, this questionnaire does 24 not require data capture, and as it is completed by interview, it is not subject to FEFU. The difference between this methodology and that employed in previous censuses lies in the movement of forms from the field to processing, independent of other forms in the same EA. Frame The frame for the 2006 Census is based on both dwellings and areas. Whereas in 2001 the frame consisted of geographic areas in which collection activities were controlled, this time around the same is true only of certain parts of the country. For other parts the frame contains information down to the dwelling level, so that census forms can be mailed out in these areas. Before discussing delivery methods, however, brief mention will be made of the form the frame will take in 2006. The Master Control System (MCS) is the centralized frame and database for the 2006 Census. It allows questionnaires flowing through different parts of the process to be tracked and registered, and data about them stored. It contains a dynamic frame of dwellings, which is updated as new dwellings are discovered and added, and as any dwellings found to be invalid are deleted. There are a number of interfaces between the MCS and other systems, most prominently with Field Operations and the Data Processing Centre (DPC). These interfaces allow for constant updates on the status of questionnaire processing from one system to the other. This is especially useful given the continuous nature of processing in 2006; that is, the fact that at any one point in time questionnaires can be at very different stages of data collection and processing. Delivery Methods During the 2006 Census, there are two methods used for delivering questionnaires: List/Leave and mail-out. Canvassing is also used to enumerate some respondents. While List/Leave drop-off and canvassing were also used in 2001, mail-out is employed for the first time in 2006. It takes over from List/Leave as the primary method of enumeration, accounting for upwards of two-thirds of all dwellings across Canada. List/Leave accounts for most of the remaining questionnaires, with canvassing only occurring for a small proportion. List/Leave (LL) enumeration refers to the delivery of questionnaires at dwellings by an enumerator. For mail-out (MO) enumeration, Canada Post Corporation delivers the questionnaires to dwellings. Canvassing refers to the completion of questionnaires via interview between an enumerator and the respondents (the questionnaires are not dropped off). It is used for areas that are traditionally difficult to enumerate, namely remote/northern areas, Indian reserves, and certain urban areas with a record of poor response rates. Collectives are enumerated in a manner similar to that in 2001, with a mixture of interviews, self-enumeration and use of administrative records. Response Channels Respondents completing questionnaires delivered by LL or MO have the following three response channel options available to them: they can complete the paper questionnaire and mail it back directly to the DPC; they can complete their questionnaire via the Internet Response Channel (IRC); or they can contact the CHL where operators can collect the information via computer-assisted telephone interview (CATI). 25 For collectives and for areas that are canvassed by enumerators, the questionnaires are shipped to the DPC in batches from regional sites, known as Local Census Offices (LCOs). Non-Response Follow-Up In 2001, Visitation Records, which record summary information about each dwelling in an EA, were used to ascertain which dwellings had not yet responded and would therefore be subject to nonresponse follow-up (NRFU). In contrast, in 2006, a list of dwellings to be subject to NRFU activities is generated by the MCS some time after Census Day, and sent to LCOs. Enumerators follow up dwellings for which no response has been gained, by telephone or in person, and feed the results of their activities back to the MCS. Registration of Questionnaires All questionnaires, both paper and electronic, are registered as they are received at the DPC. Mailed-back, canvassed and NRFU-completed questionnaires are always received in paper form. These are manually registered as quickly as possible. In contrast, electronic questionnaires received via IRC or CHL are registered automatically within the DPC. The DPC sends daily registration updates to the MCS, allowing for a count of received questionnaires to be maintained, and helping to determine which dwellings still have not responded. Data Capture In a departure from previous censuses where data were captured manually, in 2006 data are captured from the scanned questionnaires using Optical Mark Recognition (OMR) and Intelligent Character Recognition (ICR) technology. OMR operates by detecting the absence or presence of a mark. It is used for those responses on the questionnaire that require marking one of a series of circles. ICR is the technology whereby images of hand-printed characters are turned into machinereadable characters. If questionnaires cannot be read by automated means (e.g. because the confidence level resulting from the capture was low, due to factors such as poor handwriting or extraneous pen markings), data capture can be completed manually by keying from the image (KFI). If scanning did not result in a clear image of the questionnaire or the questionnaire is too damaged to be scanned, keying from the paper form (KFP) may be necessary. Edits Following data capture, several edits are applied to the data to check that questionnaires have been completed to a satisfactory level. While in 2001 some edits occurred in the field, in 2006 the series of edits is applied immediately following data capture. All responses received are subject to Coverage edits. These comprise checks for completeness and consistency, ensuring, for example, that the number of persons present throughout different parts of a questionnaire is consistent; that each person is only counted once, etc. The scanned images of questionnaires are consulted to resolve any problems. Responses received from the mail or Internet channels are then subject to Completion edits. Again, these edits check for completeness and consistency of the questionnaire responses. If the questionnaire fails the completion edits it is sent for failed-edit follow-up. 26 All long form responses, regardless of how they are enumerated, are subject to Income edits. These check outlier income values to ensure they are valid and not the result of errors from respondents, field operations, or data capture. They are resolved manually by operators using an interactive system. Difficult to resolve cases are sent to subject matter experts for resolution. Failed-Edit Follow-Up The forms which fail completion edits undergo failed-edit follow-up (FEFU). Contact and name information from these forms is sent to CHL call centres, where telephone operators call respondents in an attempt to fill in the gaps or to resolve coverage problems. Data inconsistencies (i.e. 12 years of age and married) are not resolved in FEFU but rather during the Edit and Imputation processes. Coding Unlike in 2001, in 2006 the industry and occupation variables are coded automatically, as are all other write-in responses. Interactive coding systems are again being used by Coders and Subject matter experts for write-in responses that could not be coded automatically. Some of the improvements for 2006 include the use of Postal Code information to assist the coding of the mobility questions and the availability of the questionnaire images directly in the interactive coding systems. Other changes include the use of updated classifications and code sets: Industry coding will be based on the 2002 NAICS (North American Industry Classification System) and Major Field of Study will be based on CIP (Classification of Instructional Programmes). Response Database The DPC maintains all the data until they have successfully passed through the edit processes. It then forwards them to a Response Database (RDB). The RDB holds not only all the final data for different variables, but also administrative data to identify and characterize each dwelling; information on the results of edits and NRFU for each dwelling; and information from the field to help with later analysis of the impact of different collection methods on data quality. Edit and Imputation As in 2001, the edit and imputation process is the final “clean-up” of data that attempts to resolve missing, invalid and inconsistent responses. The Edit and Imputation database is created using information extracted from the RDB. This database contains all the information needed to run edit and imputation processes. Also, as in 2001, the data are weighted to represent the entire population. They are stored on a Retrieval database, which is made available for dissemination. 27