The Canada Revenue Agency said that while a 2008 audit revealed it had still not found effective software for deleting sensitive taxpayer data from hard drives following a warning from the RCMP in 2007, the agency does expect to have new software in place by September of this year, according to a spokesperson.
Since receiving the warning from the RCMP in October 2007, the CRA has been undergoing an analysis of various technologies that might fit the bill, a process that is now complete, said spokesperson Caitlin Workman. “The CRA will pilot these hardware and software solutions to determine the most suitable option(s) for our environment. Once the pilot results are analyzed, the appropriate product(s) will be identified and procured,” she wrote in an e-mail statement to ComputerWord Canada.
The pilot will take place in May, after which “the most efficient” software will be chosen and put in place in September, said Workman.
In the meantime, there are hard drives containing sensitive data that have been stockpiled in the absence of a better disk-erasing tool, acknowledged Workman. However, she explained, those are newer hard drive models for which DSX software — the previously sanctioned tool by the police force — is deemed unreliable. While older hard drives continue to be erased using DSX, newer ones are either destroyed “or kept under lock and key, with access to these secure storage facilities restricted to authorized personnel only,” said Workman.
Canadians have no reason to be concerned for their confidential information, said Workman, noting that “no information security breaches were discovered by the CRA internal audit.”
Brian O’Higgins, security expert and chief technology officer with Ottawa-based intrusion detection technology vendor Third Brigade Inc., said that while the results of the audit do not exactly leave people with a good feeling, he does believe the government and the CRA in particular understands security and has rigorous IT security practices in place.
“People will be concerned. But the reality is, (the CRA) is probably a lot safer place to have the data than on their own PC at home,” said O’Higgins. “But whenever there is such an aggregation of data, it becomes a target.”
It’s not for a lack of effective security software on the market that it has taken the CRA a long time to identify a better tool, so it sounds like the agency could be hindered by its own procurement process, said O’Higgins. It’s often easier, he explained, for the government to deal with vendors with which it has a standing arrangement, something that can take a long time to put in place, instead of just going out and purchasing the software.
But the fact that the CRA understands the importance of IT security, said O’Higgins, makes this particularly surprising. “So that’s why it’s all bizarre. But strange things happen with all the process and bureaucracy.”