Public Accounts (16 May 2006)

From Public Accounts Committee Hansard - 16 May 2006

To view this section on video, click here, and start play at 8:16.
Windows Media Player is required.

Public Hearing: Information Technology Office

Mr. D'Autremont: — Thank you, Mr. Chairman. I’d like to welcome the deputy minister and his officials here today.

Only two areas with major recommendations from the auditor’s report which I think is quite good, especially for a new department that’s coming into place. The auditor has talked about the need for signed service level agreements. And I believe the auditor talked about that starting to be in place as of August 2005. Do you have service level agreements in place now with all of executive government that you are working with? I know that there are still some sectors of executive government that you have not yet brought under your umbrella. But with those that you do have, do you have service level agreements signed with them?

Mr. Wincherauk: — I’ll let Mr. Antunes answer that question.

Mr. Antunes: — Sure. So right now we have 16 departments that we provide or that we’re working with on providing services to. Three of those departments are still under way in the integration process where we bring their environment into the ITO and we start to provide them with services.

So of the remaining 13, we have signed service level agreements with eight of those. Two are in the process of . . . we’re just waiting for the department to sign them. So we’ve been negotiated, and we’re just waiting for them to sign off on them.

There’s two that are being negotiated right now, these integration projects where two of the smaller departments were completed in a very quick timeline. I think each one of them was done within a three-week period. So we’re in the process of finalizing the negotiations on those service level agreements. And we’ve got one that an agreement was signed and we’re in the process of renegotiating it. So for the most part you know I think . . .

Mr. D’Autremont: — Thank you. What kind of agreements are you making in those for signature? What kind of goals, what kind of guidelines, what kind of assurances, guarantees of service do these agreements provide?

Mr. Antunes: — So basically there’s a number of metrics that we include so like things like how fast passwords will be reset, how fast we will restore computers, how fast we’ll set up if there’s a problem with it, how fast we’ll repair the computers, how fast we would provide new hardware, new software, set up new users, the network availability, how we back up data. So there’s a wide variety of different items that are covered off in the service level agreement.

And then what we do is every month we provide a report back on those key metrics to the department to let them know how well we met those targets. And there are metrics like for example I think on first-call resolution where people can phone in to the service desk and we attempt to resolve their calls on that first call 80 per cent of the time . So we have a target that we try to meet on that, and then we report back monthly on how well we’re doing on that.

Mr. D’Autremont: — When you have those measurements in place, how successful are you on your current system with what you had projected as a service for that charter when you signed it?

Mr. Antunes: — So for the most part, we’re meeting the targets that we’ve identified with the departments. I think the area where we’ve been having some problems in the last little while is just on hardware and software installations where we’ve been having some problems getting the actual hardware from the vendor. So we’re making some changes to that so that the vendor has more product in stock so we can meet our targets on how fast we set up computers. But for the most part, we’ve been meeting the requirements that are laid out in our service level agreement.

Definitely on network availability and those types of things, we’re definitely meeting all of those targets. It’s a very high reliable, high available environment.

Mr. D’Autremont: — Have you had any external reviews done of those service agreements such that . . . because this is inter-government, I mean, the bar could be set fairly low if you wanted to. Have you had any external reviews to ensure that the bar is set at an appropriate height level that it provides service to the client as well as within the bounds of what ITO can provide?

Mr. Norton: — Yes definitely. We have sought other people’s input into what appropriate service levels are. In fact we have put our service level slightly above where industry standards are right now, whereas some of our levels are at 90 per cent confidence factor, which means the percentage at times that we will achieve the . . . For example are when a computer breaks down in one of our prime locations — Regina, Saskatoon, P.A. [Prince Albert], Yorkton, Swift Current — we have one day to resolve that. We agree to resolve that 90 per cent of the time within one day.

Most industry standards are around 80 per cent. And again that goes for the speed of answer on our phone. Generally it’s an 80 per cent is the industry standard. We’re using 90 per cent right now.

Mr. Wincherauk: — Because we’re trying to develop a culture of customer service, being customer service focused, we ran our first client survey in March to give a . . . You know, I mean we can think we’re doing a great job, but sometimes you have to go out there to the customer to find out what they really think.

And the response on the survey was very positive for an organization that’s basically been in existence now for about 18 months. And I think we are running in the high 60s to medium 70s on just about every category. So the client is feeling like they’re getting what they need to get their job done.

Mr. D’Autremont: — Within your service agreements and your charters, what recourse does a client have if they’re unhappy with the service?

Mr. Norton: — Generally what we do is at each of our regular meetings that we have with the client to discuss our monthly service report, you know, discuss where things are going wrong and where they are unhappy with. And you know, we are a client service organization so we, you know, will make changes, discuss with them options for making changes.

For instance, the inventory one that we’ve been having issues with in getting hardware in a timely fashion, you know, we discuss with the client. We can bring more inventory in. There’s a cost to you for us to bring that inventory in and to hold it. And they need to make that decision.

Again we’ve done some negotiations with our vendors — service levels basically with our vendors — to now put in place measures that allow us to meet our service commitments to our clients.

Mr. D’Autremont: — Are there any penalty clauses built into your charters, your service agreements, or is there an allowance for your clients to go outside of ITO if the services that ITO was providing are not up to their desire?

Mr. Wincherauk: — We don’t have any of those.

Mr. D’Autremont: — So once you sign a charter with ITO, you’re stuck with it.

Mr. Wincherauk: — No. I think, as was pointed out at the start, we’re a very flexible and adaptable organization. And if there were issues, they would be raised with us, and we would sit down and renegotiate those contracts — the service level agreements, you know.

But basically you know, outside of those who are in our environment, they receive the service from us. And the only way we can entice more departments into the environment is by providing excellent service to the clients we have, you know. Or what happens is that goes up to my boss who is the Premier, and then I have problems. So we make sure everybody is in line.

Mr. D’Autremont: — So it may, even though a client may not be happy, orders may come down from on high that you will deal with this service.

Mr. Wincherauk: — Correct.

Mr. D’Autremont: — That dealt with the recommendations on the signing of the service level agreements. The next discussion deals with security and the nature of what you’re involved with. And I note in the auditor’s report that one of the pieces of information you provide to your clients on your monthly reports is a list of any security breaches that had occurred. I wonder if you can relate to us how many security breaches you’ve experienced and what has been the nature of those breaches.

Mr. Norton: — We typically have about seven security breaches in a month, and they have been all of a minimal nature: virus, where a virus gets into the network or is cleaned on coming into the network, those type of issues. We’ve not had a major security incident since we’ve been at the ITO and even prior to the organization I was at that came into the ITO.

Mr. D’Autremont: — So you would count a virus that has been prevented from spreading with your anti-virus software as still being a breach, would you?

Mr. Norton: — Yes absolutely. If it came into the environment, we assess how it came in, what were the implications, and what it actually did. So again it may . . . When we have one instance of it . . . again we have on our outside firewall 200,000 hits a day of potential threats that are hitting us, internally 15,000, any of those that we identify that make it into the environment such as a virus. Even though an internal client will clean that, we have to follow up to see where it came through, can we stop it sooner, was there any implications or anything compromised.

Mr. D’Autremont: — Especially if that is coming from internally. I think that’s a very big concern because it means it’s in your system already.

Mr. Norton: — Well absolutely. Right. And again our system has been cleaning those, and incidents haven’t got away on us. And again that’s why we take every little incident very seriously.

Mr. D’Autremont: — How much of the budget of ITO is spent on security? I’m not concerned about the particular number but rather . . . even a percentage.

Mr. Norton: — I would say we’re about, you know, a quarter of a per cent to half per cent of our budget is spent on direct what we call security. I mean there’s security in every day of our work right from even our help desk, you know, creating accounts and monitoring those things. I mean if all that’s brought in, I think we’d be as high as probably 3 to 4 per cent.

Mr. Wincherauk: — And we’ve invested significant dollars within our infrastructure, you know, our data centre, and what we have is a backup there.

Mr. Norton: — Yes. And again I think every equipment we buy, piece of equipment, has a security implication. And we have to analyze the threat, see if it meets our needs, I mean, is a potential. Again some things are switches but have security pieces in them.

Mr. D’Autremont: — When you have what you perceive to be a breach and you backtrack it and deal with how it came into the system and how to correct the situation, but do you also do things to prevent it from getting into the system in the first place? You have the antivirus software and those kind of things in place. But do you actively — and I asked the minister this before — do you actively try to check to make sure that your system is secure in the sense of you trying to break into your own system?

Mr. Norton: — Oh absolutely. I mean we do that on a regular basis, as well as any time a system change . . . we do a regular basis of the entire environment where we bring in ethical hackers or again do our own internal what we call vulnerability and penetration testing. So that’s done on a regular basis to ensure we’re up to speed. And as well the auditor has provided some of their own when they come in for the audit as well.

Mr. D’Autremont: — Your security package, is it a common package throughout all of executive government, or do you have package that’s specific for each client?

Mr. Norton: — When you say package, you mean the services that . . .

Mr. D’Autremont: — Well do you have one format that you overlay on all of executive government, or do you have a specific overlay for each department of executive government?

Mr. Norton: — So the overall arching policy and standards that we would apply in that environment?

Mr. D’Autremont: — Well the policy, yes. The policy I can see being common, but the actual software and the hardware and the operation.

Mr. Norton: — As organizations come into our environment, they are standardized into a single process that we use for our security thing. Obviously right now, with departments outside, they choose different. Some of them have different methods of securing their environments based on their threats and risks.

I would say also that every client is slightly different and may have a slightly different solution needed depending on the requirements of the business, criticality, classification of the data, how the data is handled and moved around.

Mr. D’Autremont: — My concern about the commonality is that if someone has the ability to break into the system, then they could break into all of the systems.

Mr. Norton: — Well when I was saying common . . . and I mean the virus software that we use to protect our system is of common standard model. We have firewalls and pieces of firewalls that are not provided by Norton which is the provider of some of our virus software. So I mean we have multiple perimeters of security to protect us from viruses, from any kind of penetration. And those are defended by different technologies, different vendors, you know, working together to provide a good solid security front.

Mr. D’Autremont: — Do you classify the breaches into various categories, as viruses that are simply disruptive, people who are trying to put something onto the system to gather information, or people that are trying to actually access specific information within the system?

Mr. Norton: — Absolutely. I mean we have a different classification. Be it a low-security incident such as a virus or a virus that has been contained very quickly; or you know medium, again moving up as the threat or risk to data; or again, any type of information or services that we provide, again, maybe even disrupting how a service is delivered through bringing down the hardware. Absolutely.

Mr. D’Autremont: — How many attempts, that you would know of, has there been for people to try and actually access private information?

Mr. Norton: — To access private information, we have no incidents that I’m aware of. Again we block all those at the firewall. I mean there’s lots of penetration that tries to come into our environment. No one has successfully penetrated into the environment to have any type of access to any system, especially classified-type data.

Mr. D’Autremont: — So then to the best of your knowledge, there has been no compromise of any personal information, medical records, you know, ID [identification] theft, that kind of circumstances of the system.

Mr. Norton: — I can speak to the systems and departments under the ITO. And no, there has been none.

Mr. D’Autremont: — Okay. Thank you. Thank you, Mr. Chairman.


Back to 2005/06 Legislative Session