Management Response and Action Plan

Transcription

1 Management Response and Action Plan A - For inclusion in the report The findings and recommendations of the audit of IT Asset Management were presented to the Corporate Management Sector (CMS) and Chief Information Office (CIO) senior management. Management has agreed with the findings included in this report and will take actions to address most of the recommendations by March 2016, with the exception of one part of recommendation #5, by March 31, 2017, as it involves Shared Services Canada (SSC). B - For follow-up purposes - Detailed actions to address the recommendations in the report Recommendations Action Plan Recommendation 1: a) CMS should ensure that during their three-year review cycle this fiscal year, the Asset Management Governance Structure document is updated to reflect the current roles and responsibilities of all internal stakeholders and re-align, where needed, some roles and responsibilities, acknowledging adequate segregation of duties. Agreed. In collaboration with the CIO, CMS will update the Asset Management Governance Structure document to clarify the roles and responsibilities resulting from recent government initiatives and to ensure that adequate segregation of duties exist. DG, Corporate Finance, Systems and Procurement Branch (CFSPB) March 31, 2016

2 b) CMS, in collaboration with the CIO, should communicate these updates to IC staff. Agreed. CMS, in collaboration with the CIO, will disseminate these updates throughout the department using existing communication tools such as: Updated training presentations CMS Staying in Touch newsletter Communications through Industry Canada s Corporate Services Network (CSN) Recommendation 2: a) CMS should ensure that during their three-year review cycle this fiscal year, departmental policies, directives and guidelines related to IT asset management are updated, in collaboration with CIO, to better support IC staff in fulfilling their roles and responsibilities. Agreed. In collaboration with the CIO, CMS will update the following Asset Management and Materiel Management documents to better support IC staff in fulfilling their roles and responsibilities: IC Asset Management Governance Structure IC Framework for the Annual Asset Verification Exercise IC Standards for the Life Cycle Management of Departmental assets IC Standards for the Disposal of Electronic Electrical Equipment (EEE) POL Microcomputer Use POL Software Asset Management Policy

3 b) CIO should ensure that its specific governing documents related to IT asset management and procurement are updated in /16, in collaboration with CMS, to better support IC staff in fulfilling their roles and responsibilities. Agreed. CIO, in collaboration with CMS, will review and update all directives and guidelines related to IT asset management and procurement. CIO will ensure that the intranet site is updated and that an article updating IC staff is posted in This Week at IC. Director of Corporate Services, CIO September 30, c) CMS and CIO should consider synchronizing their review processes so that information related to IT asset management is being updated on a regular basis and at the same time. Agreed. CMS, in collaboration with the CIO, will explore synchronizing their respective process reviews. Recommendation 3: a) The CIO should complete drafting their internal procedures and reflect them in the IT Approval Process document and communicate it to CIO staff. Agreed. The CIO will complete documenting their internal procedures for the IT Approval Process. These processes will be communicated to CIO staff through an all staff and posted on the CIO Intranet site. Director of Corporate Services, CIO September 30,

4 b) The CIO should improve its governing documents related to the CIO approval process for the procurement of the IT hardware and software and communicate the changes to IC staff. Agreed. CIO will review and update all directives and guidelines related to IT approval process for procurement of all IT goods and services. CIO will ensure that the intranet site is updated and that an article updating IC staff is posted in This Week at IC. Director of Corporate Services, CIO September 30, Recommendation 4: CMS should update its documentation related to the annual asset verification exercise (including training material and procedures) to ensure attention is given by appropriate personnel to the sensitivity of information on missing IT assets with data storage capability. Agreed. CMS will update the following guidance documents to ensure attention given by appropriate personnel to the sensitivity of information on missing IT assets with data storage capability: IC Framework for the Annual Asset Verification Exercise IC Guidelines for the Annual Asset Verification Exercise IC Standards for the Disposal of Electronic Electrical Equipment (EEE)

5 Recommendation 5: CIO, in collaboration with CMS, should require that departmental software (including licenses and renewals) be tracked in a centralized database to ensure software tracking activities meet the operational needs. Agreed. CIO will work with CMS to conduct an options analysis for a Centralized Database to track departmental software. Meanwhile during the transition i.e. before the implementation of the recommended solution stemming from the options analysis, CIO in collaboration with CMS will reinforce and communicate the current roles and responsibilities of IC staff regarding software tracking activities to ensure they understand that business units are responsible for tracking software. October 31, (options analysis) October 31, CIO will work with both CMS and SSC to implement the recommended solution stemming from the options analysis to assure software tracking meets operational needs. March 31, 2017 (implementation of solution)

6 Recommendation 6: The CIO, in collaboration with CMS, should better define, document, and communicate the disposal process including those activities related to secure destruction and consideration of sensitivity of information. Agreed. The CIO, in collaboration with CMS, will prepare guidelines defining the disposal processes in IC including secure destruction. CIO will also address in the guidelines what needs to be considered in regards to the information that is on the devices to be disposed. The CIO intranet site will be updated with the new directive and an article will appear in This Week at IC. December 31, Recommendations Management Letter Recommendation 1: The CIO, in collaboration with CMS, should carry out an assessment of the CIO Custodian s roles and responsibilities to ensure adequate segregation of duties within the area of IT asset management. Agreed. The CIO will work with CMS to review the CIO Custodian roles and responsibilities to ensure adequate segregation of duties within the area of IT Asset Management and will adjust as per recommendations. March 31, 2016 Recommendation 2: The CIO, in collaboration with CMS, should improve the tracking and movement of the Department s Request for Volume Discount buffer stock in support of effective accounting for these assets. Agreed. The CIO will request CMS to create an additional custodian account within the CIO to track the equipment purchased as well as the movement for the departmental buffer stock. June 30,