Canada not addressing IT risks for air transportation: ReportReprints
The Canadian Air Transport Security Authority has failed to produce action plans to properly and timely assess and mitigate systemwide information technology risks, according to a report by the Office of the Auditor General of Canada.
The Ottawa, Ontario authority's corporate risk profile contains mitigation measures related to information technology, including a business continuity plan and an emergency response plan — both of which are periodically tested — as well as IT threat and risk assessments and a business impact analysis, according to the report, which was published on the auditor general's website on Tuesday after an examination conducted in 2015.
However, the auditor general determined that only two out of four key systems examined had an assessment done, that the assessments were outdated and that no action plans were in place to address the identified risks, according to the report. Conducting these assessments for key systems is important to identify potential vulnerabilities, according to the auditor general.
“Action plans are needed to mitigate, monitor, and report on identified IT risks,” the report said.
The auditor general recommended the authority conduct these assessments on all critical systems and maintain action plans for each assessment, which the authority has agreed to do.
The authority was created in response to the Sept. 11, 2001, terrorist attacks in the United States and is responsible for screening more than 52 million passengers and their belongings before they board planes at 89 Canadian airports, according to the authority.