    Audit scope The amount of time and documents which are involved in an audit, is an

    important factor in all auditing. The audit scope, ultimately, establishes how

    deeply an audit is performed.

    A determination of the range of the activities and the period (months or

    years) of records that are to be subjected to an audit examination .

    The procedures considered necessary to achieve objective of audit.

    result from the di erent purposes listed below.

    The audit scope generally includes a description of the physical locations,

    organizational units, activities and processes, as well as the time period

    covered.• ts tells

    o when audit shall be conducted (start and end date).

    o what!who are we going to audit.o where the audit shall be done.

    Audit Objectives The primary purpose of the audit was to assess the e ectiveness ande"ciency of security measures and their compliance with #overnment$ecurity %olicy (#$%) and &perational $tandards.

    The objectives follow Treasury 'oard s Audit of $ecurity and Audit#uide to nformation Technology $ecurity and include the assurancesthat* a management control framewor+ exists* an e ective security program is in place* security education and training is ade-uate* information!communications is appropriately classi ed andprotected* an e ective personnel screening program is enforced* security breaches are dealt with* physical safeguards are in place for the protection of personnel andassets

    * contingency management has been developed* security re-uirements are met in contract management and* threat and ris+ assessments are conducted on a regular basis andprior to major system, application and telecommunication changes.

    Audit Scope and Approach• The information used in this report was collected through the review of

    relevant documents, interviews and• visual inspections of security measures on site. nterviews were also

    completed with the user community to• obtain their comments and determine their understanding and

    capability to apply the security practices and• standards in their own environment.• The audit team used the audit -uestionnaires and audit plan developed

    during the preliminary survey phase• and reviewed the management control framewor+ related to the

    security function.• The following elements were audited• * $ecurity /anagement 0ontrol 1ramewor+• * Administrative $ecurity• * %hysical $ecurity• * T $ecurity• * %ersonnel $ecurityConclusion

    2e conclude overall that the 0ouncils are ta+ing ade-uate securitymeasures and, in fact, have made signi cant progress over the pastfew years. 3onetheless, there are some existing wea+nesses andconcerns that still need to be addressed. As a result of our securityaudit we provide the following independent opinion in response to theaudit objectives speci ed in the statement of wor+ (Audit terms ofreference)

    1. Is there a management control framework?Although there is an existing management control framewor+ it is notcomplete and we recommend the development of securityaccountability, security responsibilities, the completion of the 0ouncils

    $ecurity %olicy and several other related measures.. Is there an e!ective securit" program?

    There is an existing and reasonably e ective security programcurrently in place. 4ecommendations in this report will provide theprogram with the tools and means to be fully e ective.

    #. Is securit" education and training ade$uate? $ecurity education and training is currently not ade-uate. t isconducted on an ad5hoc basis and is not part of an overall security

    training and educationprogram. %. Is information&communicationsappropriatel" classi'ed and protected?

    2e have made recommendations regarding the appropriateclassi cation of information holdings.

    (. Is there an e!ective personnel screening program? The personnel screening program is e ective.). Are securit" breaches dealt with?$ecurity breaches are dealt with on an ad5hoc basis. 2e haverecommended the development of incident reporting procedures toensure a common approach and to ensure that incidents are correctlyreported and handled.*. Are ph"sical safeguards in place for the protection ofpersonnel and assets?

    • There are e ective physical safeguards in place for the protection ofpersonnel and

    • physical assets. 2e have made recommendations regarding awarenessof personnel to

    • potential physical ris+ situations.• 6. +as contingenc" management been developed? 0ontingency

    management has not• been developed, except for a high5level 789 :isaster 4ecovery %lan for

    T. A :isaster• 4ecovery %lan is included within the overall $ecurity %lan.• ;. Are securit" re$uirements met in contract management?

    $ecurity re-uirements are•

    not completely met in contract management. 2e have made severalrecommendations• that will ensure compliance.