LEGISLATIVE ASSEMBLY OF MANITOBA

THE STANDING COMMITTEE ON PUBLIC ACCOUNTS

Tuesday, June 6, 2023


TIME – 1 p.m.

LOCATION – Winnipeg, Manitoba

CHAIRPERSON – Mr. Jim Maloway (Elmwood)

VICE‑CHAIRPERSON – Mr. Shannon Martin (McPhillips)

ATTENDANCE – 9        QUORUM – 6

Members of the committee present:

Messrs. Guenter, Isleifson, Lamont, Ms. Lathlin, MLA Lindsey, Messrs. Maloway, Martin, Michaleski, Schuler

Substitutions:

Mr. Schuler for Mr. Smook

APPEARING:

Mr. Tyson Shtykalo, Auditor General

WITNESSES:

Mr. Joseph Dunford, Deputy Minister of Consumer Pro­tec­tion and Gov­ern­ment Services

Ms. Lanette Siragusa, Chief Executive Officer, Shared Health

Mr. Hong Chung, Chief Infor­ma­tion Officer, Province of Manitoba

Mr. Doug Snell, Chief Operations Officer, Shared Health–Digital Shared Services

MATTERS UNDER CONSIDERATION:

Auditor General's Report – Aging Infor­ma­tion Systems, dated February 2022

Auditor General's Report – Infor­ma­tion Systems–Privileged Access, dated October 2022

* * *

Mr. Chairperson: Good afternoon. Will the Standing Com­mit­tee on Public Accounts please come to order.

      The–this meeting has been called to consider the following: the Auditor General's Report–Aging Infor­mation Systems, dated February 2022; and Auditor General's Report–Information Systems–Privileged Access, dated October 2022.

Committee Substitution

Mr. Chairperson: I'd like to inform the com­mit­tee that under rule 104(2), the following member­ship substitution has been made for this meeting only: Mr. Schuler for Mr. Smook.

* * *

Mr. Chairperson: Are there any–[interjection] oh, the other one. Okay.

      For the infor­ma­tion of the com­mit­tee, there's been a request for the following witnesses to be able to speak on the record and to answer questions from members: Hong Chung, CIO for the Province of Manitoba; and Doug Snell, COO for Shared Health, Digital Shared Services.

      Is there leave of the com­mit­tee to allow them to speak on the record if required? Agreed? [Agreed]

      Are there any sug­ges­tions from the com­mit­tee as to how long we should sit this afternoon?

Mr. Shannon Martin (McPhillips): Mr. Chair, I'd suggest we sit 'til 3 p.m. and reassess at that time.

Mr. Chairperson: It's been suggested by Mr. Martin that we sit 'til 3:00 and reassess at that time.

      Agreed? [Agreed]

      Does the Auditor General wish to make an opening statement?

Mr. Tyson Shtykalo (Auditor General): With respect to my report on aging infor­ma­tion systems, I'd first like to intro­duce the staff members I have with me today. I'm joined by Wade Bo-Maguire, assist­ant auditor general for IT and Innovation; Ian Montefrio, audit principal, IT and–IT audit and innovation; and Stacey Wowchuk, assist­ant auditor general, perform­ance audit.

      Mr. Chair, the Province of Manitoba relies on infor­ma­tion systems to deliver a wide range of services that Manitoba depends on. This includes online registrations, program applications and fee payments. These infor­ma­tion systems include hard­ware such as servers, firewalls, switches and routers as well as the software that runs on these devices.

      As these information systems age, they become more susceptible to risks, including extended system outages, decreased system reliability and increased security vul­ner­abilities. Aging systems may also be unable to keep up with the evolving needs and ex­pect­a­tions of Manitobans.

      It's im­por­tant that the age and suitability of infor­ma­tion systems be monitored to make sure that they are replaced or upgraded when needed. In my report, Aging Infor­ma­tion Systems, we found that the Prov­ince has not adequately identified and managed the risks associated with aging–with operating these aging infor­ma­tion systems.

      More spe­cific­ally, we found there were limited factors used to deter­mine the risks of continued use of these systems. Without con­sid­ering more extensive risk factors, some of the current risk ratings could be either under- or overstated.

      We found there's no centralized monitoring of risk assessment results. This is a missed op­por­tun­ity to identify causes of risk across all departments and take a system-wide approach to risk mitigation. We also found limited involvement from the de­part­ments in assessing the risks of the systems they use and in verifying the accuracy of the infor­ma­tion systems' inventory.

      My report includes eight recom­men­dations to help the Province improve risk assessment processes and reduce the probability of adverse impacts to infor­ma­tion systems. My report includes the de­part­ment's responses to my recom­men­dations and indicates that manage­ment is aligned with the recom­men­dations in principle.

      I'd like to thank digital tech­no­lo­gy solutions and the de­part­mental manage­ment and staff we worked with for their co‑operation and assist­ance on this project. Also like to thank my audit team for their hard work.

      With respect to the privileged access report, Mr. Chair, infor­ma­tion systems help the Province deliver a wide range of services, including health care, online registrations, prov­incial program applications and fee payments. These systems contain a con­sid­erable amount of personal, health and cor­por­ate infor­ma­tion, making them a target for cyber-threat actors.

      The Province relies on privileged users, also known as system administrators or superusers, to oversee these infor­ma­tion systems. Privileged users have more privileges and author­ity than general users. They can perform activities such as adding and removing users, modifying privileges, changing sys­tem configurations and security settings and altering data tables.

      Cyber-threat actors spe­cific­ally target privileged users with the in­ten­tion of taking control of infor­ma­tion systems. An unauthorized individual with priv­ileged access could potentially steal data or funds, disrupt operations or cause a system outage. As a result, gov­ern­ment standards mandate ad­di­tional controls be applied to protect privileged access accounts.

      In my report, privileged access, infor­ma­tion sys­tems, we found the Province is not adequately control­ling privileged access rights to prevent unauthorized access to infor­ma­tion systems. In previous reports issued by my office, we've noted issues regarding poor controls and a lack of monitoring of privileged activ­ities. Unfor­tunately, we continue to identify similar issues in this report.

      This report contains five recom­men­dations to help the Province strengthen privileged access con­trols, and I'm pleased that the de­part­ment and Shared Health agree with the recom­men­dations and are com­mitted to resolving the issues we identified.

      In conclusion, again would like to thank the manage­ment and staff from the de­part­ment as well as from Shared Health, for their co‑operation and assist­ance during this audit, and I'd like to thank my audit team members for their dedi­cation and hard work.

      I look forward to the discussion today.

Mr. Chairperson: Does the deputy minister wish to make an opening statement, and would he please intro­duce his staff joining him here today?

Mr. Joseph Dunford (Deputy Minister of Consumer Pro­tec­tion and Gov­ern­ment Services): My opening remarks will cover both reports as well.

* (13:10)

      My name is Joe Dunford. I'm the deputy minister for the De­part­ment of Consumer Pro­tec­tion and Gov­ern­ment Services. With me today is Hong Chung, the Province's Chief Infor­ma­tion Officer and lead for Digital and Tech­no­lo­gy Solutions, or DTS.

      And also with me is Ann Leibfried, the acting executive financial officer for the de­part­ment.

      First off, I would like to thank the Office of the Auditor General for the work on both reports. Consumer Pro­tec­tion supports and protects the interests of Manitoba's consumers, citizens, busi­ness people, landlords, and tenants.

      Gov­ern­ment Services is respon­si­ble for the modernization of gov­ern­ment services, including procurement, IT, capital planning, project delivery, and asset manage­ment for gov­ern­ment's vertical and underground infra­structure.

      DTS is Manitoba's central organi­zation for IT systems and services, including cybersecurity. These infor­ma­tion systems support a wide range of gov­ern­ment programs.

      In 2022, the Auditor General released two infor­ma­tion system reports: Aging Infor­ma­tion Systems; and privileged access. Both audits high­lighted op­por­tun­ities for im­prove­ment to mitigate operational risks linked to underlying infor­ma­tion systems.

      The de­part­ment accepts and agrees with the recom­men­dations in both reports and has begun imple­men­ta­tion of the actions to address the findings.

      Since the release of the Aging Infor­ma­tion Systems audit report, the de­part­ment has developed an action plan to address the recom­men­dations outlined. Further­more, many of the items have been completed or are in progress and targeted for completion within the fiscal year.

      The de­part­ment has updated its IT–or, ICT standards used as the basis for tech­no­lo­gy risk rating; updated ICT standards and application portfolio assessment processes to better align with the annual budget cycle; updated the classification framework for deter­mining system risk, including the addition of stake­holder impact; updated the application portfolio manage­ment process to include increased stake­holder en­gage­ment; increase gov­ern­ance to reduce risk of errors, and frequent reviews to keep infor­ma­tion relevant, and begun exploring automated systems and tools to improve existing processes.

      The report identifies concerns with the limited dis­tri­bu­tion to stake­holders and the lack of a combined ICT asset con­di­tion report spanning all depart­ments.

      While the de­part­ment agrees increased col­lab­o­ration with stake­holders is im­por­tant, due to the sensi­tivity or sensitive nature of the infor­ma­tion contained with the ICT asset con­di­tion reports, authorized stake­holders receive only the infor­ma­tion relevant to their programs.

      Since the release of the privileged access report in October of 2022, the de­part­ment has developed an action plan and has taken steps to increase controls for privileged access to reduce cybersecurity risk.

      The de­part­ment has updated the process to regularly verify each privileged access is necessary and authorized; initiated the dev­elop­ment of an automated process to more tightly couple human resource events to the removal of privileged access; initiated an assessment to enhance privileged access, logging, monitoring and event detection with increased automation using the Province's security infor­ma­tion and event manage­ment tool or sign; initiated a plan to intro­duce new automated privileged access manage­ment tools; initiated a privileged access policy review and initiate a planning to increase awareness and training efforts.

      While the de­part­ment agrees with the recom­men­dations in both reports and accepts them, we are also cognizant that there are both tech­no­lo­gy limitations and dependencies on human input that will prevent the complete elimination of errors.

      The de­part­ment's approach to managing infor­ma­tion systems' policies, prioritization and invest­ments is based on a risk manage­ment framework and balances the busi­ness risk with the financial and operational costs. The framework continues to evolve and the de­part­ment will col­lab­o­rate with stake­holders to better define, refine and roll out across the province.

      We also recog­nize the tech­no­lo­gy and cyber landscape continues to evolve at a rapid pace, and a cyber threat environ­ment is far from static. To adapt, the de­part­ment will continue to build upon the actions presented today and in the report to further reduce and mitigate current and new threats.

      Given the sensitive nature of the topics being discussed today and the potential implications to cybersecurity, we may not be able to go into specific details when answering some of the com­mit­tee's questions.

      Lastly, I would like to thank the Office of the Auditor General for their efforts at helping us improve our controls and mitigate risk resulting from infor­ma­tion systems. Hong and I look forward to the op­por­tun­ity to respond to your–to any outstanding questions you have today.

      Thank you.

Mr. Chairperson: Thank you.

      Does the CEO for Shared Health wish to make an opening statement, and would she please intro­duce her staff joining her here today?

Ms. Lanette Siragusa (Chief Executive Officer, Shared Health): Good afternoon, and thank you for having us here today to present and respond to questions related to Shared Health's completed and ongoing work related to the October 2022 OAG Report on Information Systems, Privileged Access.

      I am Lanette Siragusa, chief executive officer of Shared Health, and I am joined today by Doug Snell, chief operating officer of Digital Shared Services for Shared Health.

      I would like to thank the committee for the opportunity to provide comments and respond to questions, and offer our thanks to the office of audit professionals. I want to acknowledge their profes­sional and collaborative relationship with Shared Health and our staff.

      On behalf of Shared Health, I want to acknow­ledge the findings and recommendations contained within the audit report. I will speak to the status of our response to a number of specific recommendations today, and both Doug and I look forward to the opportunity to respond to any outstanding questions you may have.

      But first, I would like to offer a bit of background about Shared Health, the organization. Shared Health was formed in 2018, envisioned as a collaborative entity that would lead and co-ordinate the planning of patient‑centred care across Manitoba, with an end goal of improving access, reliability, quality and equity of health services for all Manitobans.

      As Manitoba's only provincial health authority, we also support a wide variety of centralized admin­istrative and business functions for all health organi­zations through­out our province. This includes sup­port for provincial technology services. In this function, digital shared services, led by Doug Snell–who is with me today–supports the digital systems for health organizations across Manitoba.

      The audit report covers a period from January 2018 to March 2022. During this time frame, Shared Health and Digital Shared Services were in their formation, with information technology staff, infra­structure and services transitioning from a number of individual organizations into Shared Health to form a new operating entity and shared services model.

      Throughout these transition activities, including both the audit interval and in the time since its conclusion, Shared Health initiated cybersecurity improvements to streamline processes and standards across the health infrastructure. This work included a number of initiatives that address findings within the scope of the privileged access report.

      In our provincial role, Shared Health collaborates with the departments of Labour, Consumer Protection and Government Services, digital and technology services on forward-looking plans, opportunities for alignment and standards on matters of technology, procurement and cybersecurity. The report on Infor­mation Systems–Privileged Access lists five recom­men­dations, which I will now go through individually, identifying the status of our organization's response to each.

      Recom­men­dation No. 1: We recommend that Shared Health prepare a list of authorized officials who will approve access to applications, grant access only after validating access approval from the authorized officials and retain the access approval documents.

      Status: Shared Health has implemented improve­ments to the processes and updated standards to reflect the recom­men­dations, including maintaining a centralized list of authorized individuals who can approve access to applications, compliance processes, access standards and records retention practices.

* (13:20)

      Recom­men­dation No. 2: We recom­mend that Shared Health in­vesti­gate and implement automated solutions to improve manage­ment of privileged access and integrate access removal processes with human resources, to remove users promptly.

      Status: Shared Health is actively deploying auto­mated solutions and operating procedures to improve the manage­ment of privileged access across the prov­incial infrastructures. Completion of this work is antici­pated to occur in the second quarter of 2023.

      Shared Health is also collaborating with human resources to improve the integration of processes and tech­no­lo­gies to remove user access promptly. Tar­geted completion of this work is fourth quarter of 2024.

      Recom­men­dation No. 3: We recom­mend that Shared Health regularly review all privileged users to verify their access rates align with job respon­si­bilities and to ensure unauthorized privileges do not exist; remove un­neces­sary access promptly after the review, and retain the access rights review docu­ments.

      Status: Shared Health has operationalized a quarterly manage­ment review and compliance audit process of all privileged access, including any adjust­ments to access as required, and retention of access rights requested docu­men­ta­tion.

      Recom­men­dation No. 4: We recom­mend that Shared Health implement the identification and authentication standard and control recom­men­dations presented in our letters to manage­ment.

      Status: Shared Health is actively imple­men­ting the recom­men­dations to address the findings to align to published standards and control recom­men­dations. No ad­di­tional resource is required or identified at this time.

      And recom­men­dation No. 5: we recom­mend that Shared Health log all privileged user activities; deter­mine and regularly review risky activities and, where not already imple­mented, in­vesti­gate methods to automate privilege user monitoring, including alerts of activities that should be reviewed.

      Status: Shared Health is actively deploying automated solutions to log all privileged user activities including provisioning, elevation of privilege, alerts for activities requiring review and procedures to conduct reviews with an anticipated completion in quarter four, 2023.

      We are now prepared to take questions on admin­is­tra­tive-related items posed by the com­mit­tee. We will endeavour to answer any and all inquiries here today. However, note that some questions may need to be taken as notice, in which case, we will provide a specific response in writing.

      Questions may be directed to either or us; however, Doug is most familiar with the audit findings and field of discussion related to privileged access.

      Doug has initiated the im­prove­ment projects to address the findings in the audit, and actively collab­orates with the De­part­ment of Labour, Consumer Pro­tec­tion and Gov­ern­ment Services on matters related to infra­structure, tech­no­lo­gy, procurement and cyber­security standardization. He's able to take questions from com­mit­tee members and to assist me in answering–in provi­ding answers.

      That's it.

Mr. Chairperson: Thank you.

      Before we proceed further, I would like to remind the com­mit­tee of the process that is under­taken with regard to outstanding questions. At the end of every meeting, the research officer reviews the Hansard for any outstanding questions that the witness commits to provide an answer to, and will draft a questions-pending response docu­ment to send to the deputy minister.

      Upon receipt of the answers to these questions, the research officer then forwards the responses to every PAC member and to every other member recorded as attending that meeting.

      I would also like to remind members that only questions of an admin­is­tra­tive nature are to be placed to the witnesses and that policy questions will not be entertained and are better left for another forum.

      The floor is now open for questions.

MLA Tom Lindsey (Flin Flon): Sorry. Trying to operate off a phone, because I'm really remote today; I'm up in Thompson.

      So, my first question is in relation to the aging infor­ma­tion systems audit. We know that there's a number of issues there, and part of the audit was to do the proper assessment to deter­mine what were the highest risks, where they were and what the recom­mended changes would be.

      So, I guess my first question is: Has that risk assessment been completed, or how far along in the process is it? And has this risk assessment resulted in any changes?

Mr. Dunford: Thank you for the question.

      So, that risk assessment has been completed. It will be one that will continue to be ongoing, as well. There was items in that that we found that we have addressed since, so there's certain programs that we closed down or systems that we've had to deal with, without getting into specifics.

      But yes, we have done that assessment.

Mr. Chairperson: Mr. Lindsey, would you please unmute your microphone.

MLA Lindsey: Sorry about that, thought I had.

      So, you were saying that the risk assessment is completed and some issues have been addressed.

      So, through this system, the–I'm assuming there's multiple different infor­ma­tion systems used by different de­part­ments. Is there a move to reduce the number of those systems to integrate them into one system? Is that already, kind of, the process?

      And you have some outstanding issues identified in the risk assessment. Could you tell us what the status is as far as mitigating those risks?

Mr. Chairperson: The deputy minister. [interjection]

      Mr. Chung.

Mr.  Hong  Chung (Chief Infor­ma­tion Officer, Province of Manitoba): Good afternoon.

      So, yes, there are multiple systems, as you've identified. There are hundreds of systems within our gov­ern­ment environ­ment. Each will have its own individual risk profile.

      So, the–we are working through the assessment and the report that came out of the assessment, and part of the strategy is to look at each individual asset and deter­mine what the best action of approach is–or, the best approach to take is. In some cases, it's mitigating the existing risk based on some infor­ma­tion and findings that we've uncovered. In other cases, it will include some migration, which means replacing to other, more modern tech­no­lo­gy.

* (13:30)

      And in many cases, we are looking at op­por­tun­ities for us to consolidate and rationalize our applications.

Mr. Len Isleifson (Brandon East): I'm looking more at the process of shared network infra­structure. And I would understand that, if a report came in and it looks like it comes in on a regular basis, that there may be some­thing that is creating risk within the IT infra­structure.

      I'm wondering–and I know we only have two de­part­ments here–but, how does it process so that we can be sure that every single de­part­ment that is using shared infra­structure is aware of the risk, and how do they respond? Is there com­muni­cation among de­part­ments through the IT process to ensure that every­thing has been addressed in each de­part­ment so that one doesn't get overlooked?

Mr. Chung: Shared infra­structure is managed and monitored centrally. So, within my organi­zation, within digital tech­no­lo­gy solutions, we do look at what applications and what de­part­ments are impacted by the underlying tech­no­lo­gy and, based on that asses­sment, we do have com­muni­cation processes to inform and col­lab­o­rate with the impacted de­part­ments.

Mr. Isleifson: So, just a quick follow-up, then. So, with that process coming out, how often and how wide are the reports released–through the Chair–how widely informing are the reports released from the IT de­part­ment so that everybody stays on that page and keeps a look at–out for adverse effects that might happen within their de­part­ments?

Mr. Dunford: These reports come out on ad hoc and annual basis. So ad hoc, as needed, if there's certain event of some sort, they would come out.

      In terms of their spread and their reach, the reports be very specific–the reports that our de­part­ment gets will be very specific to them. For obvious security reasons, we want to make sure it's all compartment­alized for specific de­part­ments and that all of that broad knowledge is not spread everywhere for access. Okay?

MLA Lindsey: We're talking about aging infra­structure, parti­cularly the IT infra­structure, and how to modernize it or ensure that things aren't being missed.

      One of the issues that comes up often in Flin Flon–because it's a border town and people from Saskatchewan get their health care at the hospital clinic in Flin Flon, Manitoba–but the computer systems between the two provinces don't talk to each other. So, when people have to go to a specialist in Saskatoon or a PA, they land up having to take their files in paper in shared vehicles with other people and chances of it getting lost are increased and the wrong people looking at the personal infor­ma­tion.

      Is there any part of this process that would look at how to integrate interprovincial systems so that they're able to talk to each other, so that people don't have to carry paper files anymore?

Mr. Dunford: Thanks for your question.

      In con­sid­ering this one, this one does appear to be a little bit outside of the scope of the audit; but in saying that, you know, we work with the health author­ity any of these matters, and we'll continue to do so.

      So, if there is a specific example here that–to be looked at, it would be probably best addressed outside of this audit today, or the hearing for this audit today. Doesn't seem to fit with the scope of it.

MLA Lindsey: Okay, well I certainly ap­pre­ciate if someone could look into it if it's outside the scope of this audit, because it is an ongoing issue that people up there go through on a regular basis.

      So, I guess to get back spe­cific­ally to the audit then, one of the things that we're looking at is the col­lab­o­ration with de­part­ments in assessing the risk for your IT assets, and pretty im­por­tant that that all takes place.

      So, has there been a change in the process on how to col­lab­o­rate with the de­part­ments, and are there some roadblocks that you've identified in that col­lab­o­ration process to ensure that the risk assessments can be done in a timely manner?

Mr. Chung: There have been updates to the process, which include deeper col­lab­o­ration with the de­part­ments involved.

      In terms of roadblocks, this is a new process for our organi­zation as well as the de­part­ments, and most of the roadblocks are just related to helping people get up to speed and comfortable with the new process. No technical or no other roadblocks have been identified.

Mr. Dougald Lamont (St. Boniface): Thank you for coming today and presenting. I just had a couple of questions.

      On a couple of the recom­men­dations, several of them actually, there are challenges, and the response from Shared Health was–well, the recom­men­dations are focused on former regional IT programs; responses to the recom­men­dations must consider the standard­ization of a prov­incial IT program requiring ad­di­tional funding and resources to implement and maintain.

      So, you've–they've expressed that concern. I'm just wondering how that is impacting. Is it still the case that there are challenges with ad­di­tional funding and resources in order to be able to achieve these goals?

Mr. Doug Snell (Chief Operations Officer, Shared Health–Digital Shared Services): Thanks very much for the question.

      And at the time that the audit was ongoing, there was a number of items of discovery that we were still working through with the cybersecurity program.

      Since that time, we've done the analysis and we don't require any further resources at this time based on the efficiencies we were able to extract and the standardization. It was just an unknown at that time.

Mr. Lamont: Just wondering when–there are a couple of areas under recom­men­dation five about–and recom­men­dation four, that the de­part­ments weren't agreeing with a blanket approach.

      So, can you just elaborate on what you mean by what the challenges were around imple­men­ting a blanket approach, and how the de­part­ments are planning to, sort of, I guess, achieve what the Auditor General has set out without taking a different approach, taking a non-blanket approach, I guess.

* (13:40)

Mr. Dunford: Thank you for the question.

      Our comment on the blanket approach really had to do with the life cycle of a program and where it is. You know, some programs could be very new, very recent and more advanced in terms–far along in terms of where they are, whereas some other ones we might have could be a little bit older and much further along in terms of their age–the age of their system.

      So, as a result, a blanket approach, because of tech­no­lo­gy limitations within those programs, is a little bit more difficult.

      I mean, obviously, we accept this recom­men­dation, but we have to acknowl­edge that, at times, we will encounter some of those tech­no­lo­gy limitations as well.

Mr. Martin: Again, thank you for attending and partici­pating in this.

      One of the comments–and this should be a very quick answer–but notes–in reference to recom­men­dation No. 2 about imple­men­ta­tion of automatic–automated solutions–notes that completion of this work is anticipated to occur in the second quarter of 2023.

      Just a quick question, are we talking about the fiscal year or calendar year?

Ms. Siragusa: Fiscal. Fiscal year.

Mr. Martin: Thank you very much.

      One of the situations I think that we're all facing, especially larger organi­zations, is the rise in the use of AI, artificial intelligence, when it comes to–whether it's ransomware, phishing or any number of cyber-led attacks.

      So, I guess my question is: What is your level of con­fi­dence in your ability to identify new and emerging threats and, as well, whether or not you feel you have the necessary resources–because a lot of this is new and developing tech­no­lo­gy and, let's be honest, tech­no­lo­gy can be expensive and that–so, whether or not you feel you have the necessary resources to address these new and emerging threats that have become highly so­phis­ti­cated, to say the least.

Mr. Chairperson: Mr. Dunford–Mr. Chung.

Mr. Dunford: Sorry, this'll be a–oh. Go to Hong first.

Mr. Chung: As you correctly pointed out, this is an evolv­ing space, and emerging tech­no­lo­gy does have implications on our processes and systems. And to keep up with it, we do continue to evolve our processes as well, as well as our tech­no­lo­gy.

Ms. Siragusa: I'm going to have Mr. Snell respond.

Mr. Snell: Yes, concurring with my colleague, it's an evolving space. As you point out, there are emerging threats. We work with partners to get the best infor­ma­tion we can; however, programs–as Mr. Chung had mentioned–evolve day-to-day, week-to-week, and, in response, we put plans in place to mitigate or manage those risks internally.

      The work we do is largely around evolving the practices that we have and the processes to manage the internal risk and admin­is­tra­tive controls. Technical controls and the partners we work with evolve over time based on the persistent threats that we see in the environ­ment, as was witnessed through COVID.

Mr. Brad Michaleski (Dauphin): Thanks, everybody, for coming here today.

      My question–first question–relates to recom­men­dation No. 5, the explanation that was given by Ms. Siragusa, and I ap­pre­ciate the responses to all the recom­men­dations that you provided. But my question is regarding deployed automated solutions. And, I'm not an IT pro­fes­sional by any means or familiar with these systems, but, you know, I understand these systems can help tre­men­dously in, sort of, data manage­ment and efficiencies of manage­ment.

      So–and you may not be able to answer–but my question is how–like, this software–and I think it was maybe mentioned–this is developed in-house cons­tantly? Or is this–and you mentioned partners, so, can you elaborate a little bit more on that? On, like, is this plug-and-play stuff that you guys are buying and incorporating or are you developing and how does that work? And what is the, sort of, the legacy costs, manage­ment-wise? Is there–if you can elaborate a little bit more on that.

Mr. Snell: Thank you very much for the question.

      Yes, so, it's really broken into two items. So, there's the processes and practices that we have which evolve, and that's part of the work that the Office of the Auditor General is doing. Those change over time, and we adjust our processes and practices.

      And then, with respect to software to log–with respect to finding No. 5–or, recom­men­dation No. 5–those are–again, that market evolves over time, so what was available last year, new systems are on the market. Those are typically com­mercial solutions.

      There's configurations we put in place for our environ­ment and, in our case spe­cific­ally, in order to implement at scale, we've made decisions around partnering with the com­mercial solutions in order to maintain standards and capabilities for rapidly deploying and evolving with the needs of the market­place.

Mr. Michaleski: Okay, so just a–then, a follow-up. Again, you said the com­mercial–this a com­mercial market that you're accessing and playing around in to help you develop your–incorporate what we're doing.

      So, again, there's some legacy manage­ment issues in terms of proprietary software, things like that. You know, I'm–I don't know, I–if I'm off-track or not, but is there these costs–and how secure, then, are these tech­no­lo­gies that you're adopting, and like, maybe that's part of what you're buying, is the ability to put in your own security.

* (13:50)

      So, is–like, how really secure is this? And what is being done–you know, I think it's been answered that there's processes in place to make sure people have heightened, sort of, em­pha­sis on access–you know, how are we making sure and ensuring that the systems are secure?

      And then, also, the users are being–I understand that's generally what the audit is talking to, but–again, I–my concern, generally, is incorporating software–com­mercial software. And you know, the liabilities, I guess, for the Province or for your de­part­ment on maintaining these operating systems and updating, and those types of things.

Mr. Snell: Sorry. If I understand the question cor­rectly, really it's about the manage­ment of risk with respect to solutions that we have in place, processes that we manage and operate.

      In our case, in order to not only follow up with audits such as this and deter­mine the achieve­ment of the recom­men­dations and the findings, as well as the manage­ment of risk, we engage–sorry, we engage third parties to–third-party audit pro­fes­sionals to assist in the evaluation of the risk on those programs.

MLA Lindsey: So, looking at some of the reporting and how it works, it was noted in the audit that there was no input controls in–regarding the supporting tech­no­lo­gies, and it noted there were several errors in how the risks were assigned.

      In one case, certain application was deemed to be yellow–medium risk, when in fact, according to ICT standards, that operating system was already under the retirement phase, which had led it to be–should have led it to be classified as red.

      So, I guess, who checks the infor­ma­tion that's being inputted into your risk system? Who checks that infor­ma­tion to ensure it's accurate, in a timely fashion, so that you're getting the best reporting, so that you can do the best mitigation practices?

Mr. Chung: Thank you for the question.

      As part of the work that we've done recently in response to the audit, we have updated our processes and gov­ern­ance. And that gov­ern­ance includes peer reviews, manage­ment reviews, as well as stake­holder reviews.

      And that'll help us mitigate and minimize any errors as a result of the–or, any errors in the system.

MLA Lindsey: Could you just explain a little bit about how the system works when you're doing things across multiple de­part­ments?

      If one de­part­ment identifies it a certain way, another de­part­ment identifies it some­what differently based on the infor­ma­tion they have, that there has to be some system to ensure the right balance and how those assessments are deter­mined.

      And is part of the problem the personnel, ensuring that it's the same personnel or the right personnel continuing through the assessment process? Does change in personnel affect what someone determines is a high risk, low risk or medium risk.

Mr. Chung: Thanks for the follow-up.

      The process also includes the intro­duction of a new classification framework which does include both the tech­no­lo­gy and support element, as well as a busi­ness impact elements.

      From a tech­no­lo­gy perspective we do look at each system on an individual basis as we–and we look at not just the application itself, but the various components that are required to support that appli­cation.

      We do store the infor­ma­tion in a system and the way the process is defined is that the tech­no­lo­gy teams and my team would be respon­si­ble for leading the work–leading the analysis from a technical perspec­tive and we would engage the busi­ness stake­holders on the busi­ness side of things.

      And if an application supports multiple busi­ness stake­holders we would bring that collectively in and that would actually assist in the weighting of the risk, right? So if multiple de­part­ments are using the same application that would then, in practice, raise the busi­ness impact of that application.

Mr. Martin: And I'm cognizant, obviously, about your earlier comments about sharing certain infor­ma­tion and that. But one of the most fun­da­mental and easiest actions that any one of us can do, obviously under­take, when we're dealing with issues of cybersecurity, is backup.

      Now, the issue comes that often we don't personally and organizationally often check our backups until the time is needed. So, without getting in too much detail, again, for obvious reasons, I'm just looking for assurances that you're confident that the systems are in place, that the data is backed up should the need arise for a–if the system is com­pro­mised in such a way that backup is required. And if it isn't, if the necessary backup isn't available, why isn't it?

Mr. Dunford: Thank you for your question.

      The question, as I understand this, really what you're referring to is data centres and that type of backup system. For the scope of this audit that would be outside of this, so if you did want to get some infor­ma­tion on that, it would be some­thing that we could address outside of this Chamber.

Mr. Martin: Thank you very much for that question.

      The other question I have is spe­cific­ally more to the health de­part­ment, as we're obviously dealing with a lot of personal–potentially a lot of personal infor­ma­tion. I'm just curious: what are the–when a situation occurs, such as, you know, ransomware or some sort of cyberattack in which a–which individuals' personal data may have been accessed now, what are the protocols in terms of alerting those individuals or alerting, you know, the public at large that there has been a data breach and what actions and undertakings that they can take personally to protect their data and then, as well, protocols within Shared Health as to what actions they would under­take after the effect to protect people's data and personal infor­ma­tion?

* (14:00)

Mr. Snell: Thank you very much for the question.

      The scope of the privileged access audit for Shared Health didn't include matters of privacy; this is a matter of privacy in the legis­lation. However, you know, if that needs to be taken on ad­vise­ment or notice, we can certainly follow up after.

Mr. Lamont: I just had a question related to, I guess, the security when it comes to potential travel abroad or de­part­ment officials with privileged access bring­ing IT assets, whether it's gov­ern­ment phones or laptops, where security might be com­pro­mised.

      So does the de­part­ment have–or do the de­part­ments have a way to track the travel of IT assets or ensure that if anybody has some­thing of an aging asset that there is that extra level of security when travelling abroad or even travelling domestically?

Mr. Dunford: Thanks for the question.

      Yes, we do have processes in tech­no­lo­gies to enable us to track any gov­ern­ment-owned assets as they travel, yes.

Mr. Lamont: Just a question around recom­men­dation 3 in audits: You've imple­mented a quarterly manage­ment review and compliance audit process of all privileged access. Can you just talk a bit about how that audit works? I mean, is it all top-down or are there ability–do people have that capacity to also register that there's an issue or red-flag an issue if they're in a de­part­ment? Are the people able to report complaints like that as part of the audit–outside of the audit process as well?

Mr. Snell: Thanks very much for the question. This–assuming it's for Shared Health, given the response.

      So, in answer to the question, the process that we go through is on the provisioning and approval side first. So, there's a request, there's only three executive directors that have access to the approvals in our organi­zation, and they can only delegate laterally or up.

      And once those approvals are met, that approval includes also what the access is for, limited to the scope of the applications and the work required by that individual for the time required for that individual, and then we do quarterly audits to make sure that any revocation or the timely removal of inappropriate access is dealt with.

Mr. Chairperson: Mr. Lindsey. Mr. Lindsey, you need to unmute your microphone.

MLA Lindsey: It seems that the IT asset con­di­tion reports have limited dis­tri­bu­tion and lack of sufficient risk infor­ma­tion that would make it hard for every­body to be able to use the report properly. Plus, I understand that these con­di­tion reports are not neces­sarily always released in a real timely manner so people can take the ap­pro­priate action when they need to.

      So, perhaps you could just tell us what the game plan is to rectify those two con­di­tions that have been identified.

Mr. Dunford: The comment around timeliness of the reports, so, there was two aspects of that. One is–so, we will be producing these reports on an ad hoc basis, as needed. The other piece had to do with, if you look at the audit, had to do with lining up with our budget cycle. So, we have rectified that as well. That was a comment around timeliness in that.

      As for the dis­tri­bu­tion of the reports and the infor­ma­tion that's in them, that's one where–I spoke to it a little bit earlier in that the dis­tri­bu­tion does have to be limited. It has–be to the departments, key people in the departments, but obviously, for security reasons, there's a reason why those are limited in their dis­tri­bu­tion as well as the infor­ma­tion that's in them has a–very specific to the de­part­ment, for security reasons, obviously.

MLA Lindsey: So, thank you for that.

      So, now, to–for me, anyway, I realize others have got there before me–just talking about the access–privileged access. So, we know that the auditor has identified that the Province is not adequately control­ling privileged access rights. So, there's actual staff that have these access rights. There's also vendors that have privileged access rights.

      So, could you just briefly give us a–I guess, a high-level snapshot of what is in place, what system is in place to ensure that only the right people have that privileged access, and that is it isn't too broadly given out, recog­nizing that there's vendors and others that would have that access.

Mr. Chung: Thanks for the question.

      So, first off, we are, as the Auditor General had recom­mended, we are updating our provisioning and de-provisioning processes for privileged access, more tightly aligned with our HR processes. So, when there's a change in staff or a change in–like a move­ment in staff or departure of staff, we will be able to more promptly remove that access. So, that's the first thing.

      In addition to that, there are still approval processes that are required before somebody can get access to a privileged access account, which requires both the de­part­ment that's asking for the access to approve as well as the central–like, so–as well as my organi­zation to approve.

      And lastly, similar to what my colleague at Shared Health had talked about in terms of their audit process, we are imple­men­ting–we have updated our process to implement some­thing very similar, which will utilized to catch anything that might have been missed through­out the processes.

* (14:10)

Mr. Michaleski: On–in the aging infor­ma­tion system of February 2022 report, on page 6 and 7, it talks about BTT–but I know that's not the right term–but they produce asset reports which are sent to de­part­ments to be considered as part of a de­part­ment IT demand planning. So, the language there is, it's produced and it's to be considered but not required.

      So, my question, then, is two part. Is this–is there no assurance, then, that gov­ern­ment has integrated control of operating systems and that they're working together?

      Because I think the basis of this report and a number of reports is questioning the control, on a number of levels, of manage­ment. And–case, I think, with Shared Health, we're talking about 2018 is sort of the start of a new model–operating model, so prior to is raising a lot of questions about just how the system was functioning.

      So, is there no assurance, now, that the gov­ern­ment has integrated control of operating systems, and that they work together?

      And number two, then, the Auditor General has referenced this move towards centralized–central monitoring. So, is this also sort of a catch-all that's being incorporated into, let's say, the shared–I can't use the Shared Health model because I think that centralized thing is meant to cross all de­part­ments. So, is that–what's the status of that as well? And is that a–you know, a major component of the transition that's going on right now, is incorporating centralized monitoring?

Mr. Chung: So, I'll answer the two questions directly.

      So, the integrated controls question related to the demand plan, the annual cycle and the inputs from the de­part­ments. So, we do–as part of our updated pro­cess, we do engage and we will engage, continue to engage with de­part­ment stake­holders on an annual basis to understand the risk of the specific system, and share that risk with them. And based on their inputs–and our inputs–will prioritize and action accordingly. So, it is integrated from that perspective.

      As related to the central monitoring question, within the gov­ern­ment we do centrally manage IT for–I mean, there's some exceptions, but we manage–essentially manage IT. And because of that we are able to leverage the central controls–or, central mon­itoring that you're talking about, in terms of under­standing how systems are accessed. And it'll actually create more synergies for us to further enhance our solutions as we roll out more evolved tech­no­lo­gy and processes to further mitigate risk.

Mr. Michaleski: No further questions.

Mr. Chairperson: While I–we're all here, I would like to know whether–Mr. Chung, whether you could arrange a meeting of the PAC com­mit­tee over at your offices.

      I assume you have the same offices you had many years ago, where you have all the IT systems over there, and you can give us a pre­sen­ta­tion on what the functions are of each, you know, SAP, you know, all the updates and so on, about these things.

      Is it possible for you to do that, just for the members of the PAC com­mit­tee?

Mr. Dunford: We'll be happy to accommodate that request.

Mr. Chairperson: Okay, thank you very much.

Mr. Lamont: I'll just–just one other question. It's on recom­men­dation 2, the recom­men­dation Shared Health integrate access removal processes with human resources to remove users promptly.

      I see that Shared Health is collaborating with human resources to improve the integration of proces­ses and tech­no­lo­gies. Targeted completion of this work is fourth quarter of 2024.

      So you can just–I mean, that is 18 months from now. I'm just wondering, is–what's happening in the interim, in order to be able to make sure that user access is removed promptly, and is this simply the automation aspect of it that's being broadened?

Mr. Snell: Yes, thank you very much for the question. So, correct: Right now we have integrated processes, and we get reports from HR as timely as they can provide us. What that is talking about is the targets date, where we have integration into the HR systems and payroll, so that we can get notified as soon as there's action on those systems to automate the removal of that access.

Mr. Lamont: That's it, thank you.

Mr. Michaleski: Just one final question. And it refers to the move in 2018 that Shared Health–and we're moving into a different system.

      So, where is–is Manitoba carving its own path, or where are we relative to other provinces in Canada?

Mr. Snell: Thank you very much for the question.

      Unclear at this time how that question relates to the scope within the privileged access audit for Shared Health, but would be happy to take the question away on notice for follow-up.

* (14:20)

Mr. Chairperson: Are there any other questions? No more questions?

      Hearing none–hearing no further questions or comments, I'll now put the question on the report.

      Auditor General's report titled Aging Infor­ma­tion Systems, dated February 2022–pass.

      Auditor General's report titled Infor­ma­tion Systems–Privileged Access, dated October 2022–pass.

      The hour being 2:21 what is the will of the commit­tee?

Some Honourable Members: Com­mit­tee rise.

Mr. Chairperson: Com­mit­tee rise.

COMMITTEE ROSE AT: 2:21 p.m.  


 

 

TIME – 1 p.m.

LOCATION – Winnipeg, Manitoba

CHAIRPERSON –
Mr. Jim Maloway
(Elmwood)

VICE‑CHAIRPERSON –
Mr. Shannon Martin
(McPhillips)

ATTENDANCE – 9        QUORUM – 6

Members of the committee present:

Messrs. Guenter, Isleifson, Lamont,
Ms. Lathlin,
MLA Lindsey,
Messrs. Maloway, Martin, Michaleski, Schuler

Substitutions:

Mr. Schuler for Mr. Smook

APPEARING:

Mr. Tyson Shtykalo, Auditor General

WITNESSES:

Mr. Joseph Dunford, Deputy Minister of Consumer Pro­tec­tion and Gov­ern­ment Services

Ms. Lanette Siragusa, Chief Executive Officer, Shared Health

Mr. Hong Chung, Chief Infor­ma­tion Officer, Province of Manitoba

Mr. Doug Snell, Chief Operations Officer, Shared Health–Digital Shared Services

MATTERS UNDER CONSIDERATION:

Auditor General's Report – Aging Infor­ma­tion Systems, dated February 2022

Auditor General's Report – Infor­ma­tion Systems–Privileged Access, dated October 2022

* * *