Auditor general says IT security is weak at Halifax police — and they lied to their civilian oversight board

In a report tabled Thursday, the city’s auditor general says information technology (IT) security at Halifax Regional Police is lacking, and the department’s management lied to the Board of Police Commissioners about their progress in fixing it.

Halifax Auditor General Evangeline Colman-Sadd originally planned to audit HRP’s IT security in 2018, but delayed the work after she discovered police had a consultant conduct a similar assessment just 18 months prior.

In a letter to the police board and a presentation to council’s Audit and Finance Standing Committee in July 2018, Colman-Sadd revealed the existence of the December 2016 KPMG report, which found 67 issues with HRP’s IT security. Colman-Sadd also told councillors and the board that virtually nothing had been done to fix it.

In September 2018, the new hire responsible for fixing the issues, chief information security officer Andrew Kozma, publicly told the police board he was making progress on about half of them. He was to provide monthly updates to the board after that, but those never really materialized, at least not publicly.

On Thursday, Colman-Sadd presented her office’s audit to the Audit and Finance Standing Committee.

“HRP is not effectively managing risks to its information technology systems and assets to adequately protect against internal and external threats,” the report says.

Among the issues identified in the report, led by auditor Ashley Maxwell and conducted between February 2019 and the end of 2020:

• Existing IT policies are outdated and draft ones haven’t been acted on for 18 months.
• The staffer in charge of “covert systems,” like surveillance equipment, doesn’t report to the chief information security officer.
• HRP hired a consultant to assess its covert systems IT security in 2017 and never told the chief information security officer about it or gave him a copy until the auditor general told him about it.
• There are gaps in the physical security of HRP’s IT assets — a lack of policy, for example, around the removal of USB sticks or other similar devices. “Existing and draft policies do not address when equipment, information, or software can be taken offsite, or who must approve this.”
• Inventory tracking is incomplete and inaccurate, especially around “mobile data terminals” in police vehicles. “During the audit, the license expired for software used to track inventory. HRP did not take steps to get an inventory list before expiry.”

In all, little has changed since the 2016 and 2017 reports: “The majority of the consultant’s recommendations were still outstanding when we completed fieldwork in October 2020,” the new report says.

Worse, the police lied to the board of police commissioners about it.

Here’s a section of the report, titled “Board of Police Commissioners given incorrect information on IT recommendations by HRP management,” in full:

HRP management did not adequately brief the Board of Police Commissioners in 2017, following a consultant report on IT security.

We initially planned an audit of HRP IT security in Spring 2018 but decided to delay after HRP gave us a consultant report assessing IT security risks.

In July 2019, HRP management provided a detailed progress update on the semi-covert system recommendations to the Board of Police Commissioners. Management told the Board 13 of 67 recommendations in the semi-covert report were complete. We found:

• Six recommendations assessed as complete by HRP IT, were instead, outstanding.
• Another recommendation related to the Province of Nova Scotia; it should have been identified as not applicable to HRP IT.
• An eighth recommendation was outstanding because management decided not to move forward with it. However, it was presented to the Board as complete, rather than do not intend to implement.
• Five recommendations were complete at the time of the update in July 2019.

The Board was not briefed on the consultant’s covert system recommendations. Up to October 2020, when we completed audit fieldwork, the Board had not been provided any information on those recommendations.

The Board has administrative oversight of HRP’s activities, as defined by the Police Act. It is HRP management’s responsibility to provide the Board with sufficient information to allow Board members to discharge their duties. Care must be taken to ensure information is complete and accurate.

The meeting in July 2019 was Chief Dan Kinsella’s first as head of HRP. Under the in camera section, the agenda lists a “security matter.” The minutes say, “The following item was dealt with by the Board In Camera (In Private), and no further action was required.”

During Thursday’s meeting, Mayor Mike Savage noted the report used stronger language than he’s used to hearing from Colman-Sadd.

“Things like ‘given incorrect information,’ ‘not getting adequate information,’ ‘needs significant improvement, ‘not effectively managing risks,’” Savage said.

He asked the auditor general to comment on how this report compares to others she’s tabled, and Colman-Sadd said she’d speak directly to the ‘given incorrect information’ quote:

For me, I attach even more importance to that sort of area because I think oversight bodies — whether it be regional council, Audit and Finance Standing Committee, the Board of Police Commissioners, or whatever oversight body — it’s so important that the information they receive is complete and accurate so they can discharge their duties in those roles. And so that’s why that particular area was so concerning to me, because I felt the board had not been given accurate information on the status of those recommendations back in July of 2019.

Overall, and I think the overall conclusion speaks for itself, the results aren’t great … It’s certainly not an overly positive result.

The report makes 12 recommendations — all accepted by management. The first: “Halifax Regional Police should implement a process to ensure only complete and accurate information on security of IT operations is provided to the Board of Police Commissioners.”

The other recommendations include the creation or completion of various internal policies and processes to protect IT security. For example, the auditor general recommends police “should develop and implement operating procedures to maintain its systems, including patch management, change management, and backup.”

The acceptance of each recommendation is noted in the report, with timelines included ranging from April to December 2021. Colman-Sadd’s office will follow up at 18 months, as it does for all audits.

In a statement Thursday, Kinsella said “HRP takes the findings of the audit very seriously.”

“Using a project management approach, HRP will focus immediately on the highest risk categories, and is committed to actioning all recommendations. We thank the auditors for their diligence and engagement, and for their focus on bringing important matters to the attention of HRP management,” Kinsella wrote.

There was also an in camera report presented to the standing committee. According to the public report, the private one explores some of the same topics in greater detail, “along with sections on network operations, business continuity, and access.

“Given the sensitive nature of many IT topics, publicly reporting details of concerns identified could impact the safety and security of HRP operations,” the report said.

The committee spent nearly two hours meeting in camera. Councillors made no public motions afterward.

The Halifax Examiner is an advertising-free, subscriber-supported news site. Your subscription makes this work possible; please subscribe.

Some people have asked that we additionally allow for one-time donations from readers, so we’ve created that opportunity, via the PayPal button below. We also accept e-transfers, cheques, and donations with your credit card; please contact iris “at” halifaxexaminer “dot” ca for details.

Thank you!