Halifax police not keeping IT secure, misled board: auditor general

Few changes have been made by Halifax Regional Police (HRP) to protect information within its technology systems and assets since concerns were raised in a 2016-17 consulting report, according to the municipality’s auditor general.

“The purpose of our audit was to look at whether or not Halifax Regional Police appropriately manages risks to its IT systems,” auditor general Evangeline Colman-Sadd said to the audit and finance committee on Thursday.

“Our overall conclusion is that HRP is not.”

The 2019-20 Halifax Regional Police Information Technology Audit, released by Colman-Sadd, found that just five of the 67 recommendations had been implemented since 2017.

However, HRP had claimed to have implemented 13 to the city’s board of police commissioners. According to the report, the police board had no information on any of the recommendations.

“We are concerned that the board was given incorrect information regarding the state of IT security at HRP,” Colman-Sadd said.

The HRP employee managing the force’s covert IT systems does not have a reporting relationship with its chief information security officer, and is not being supervised by someone with a background in IT, the report found.

“The board should expect to receive accurate information in carrying out its important oversight responsibilities,” said Colman-Sadd.

Current policies are lacking, report finds

The audit raised a number of other concerns surrounding policies on storage and security of on and off-site equipment, as well as keeping technology asset lists updated.

Of the HRP policies in place, key security factors are either left out or outdated.

“It’s not a case of needing all of these new systems and all kinds of infrastructure money,” Colman-Sadd said. She added that many of the risks could be secured by finalizing policies and getting them in place.

“The majority of them are documenting processes that might be in place, formalizing things, or operating policies that just haven’t been kept up to date and therefore are in step with current risks and IT security.”

According to the audit, HRM drafted policies following the 2016-17 report, although they didn’t have implementation plans and were never officially established.

“I guess the good news is that we’ve already heard from the chief and they’ve agreed to implement all recommendations,” Mayor Mike Savage said in Thursday’s meeting.

Some recommendations include:

• Create and apply a process that ensures HRP are providing accurate and complete IT security information to the board of police commissioners
• Establish a reporting relationship between the chief of information security officer and all HRP staff with covert IT security responsibilities
• Finalize and implement IT security polices that include secure storage information and identify the levels of physical security needed at facilities
• Regularly maintain and update IT assets lists

A separate report was given to police and the committee, although it was made confidential to the general public due to its sensitive nature.

Halifax Regional Police Chief Dan Kinsella said in a statement that HRP will focus immediately on the highest-risk categories, and has agreed to implement all recommendations put forth from the auditor.