Audit and Finance Standing Committee, Feb. 11, 2021
Meeting recap (the important stuff):
Halifax’s Auditor General Evangeline Colman-Sadd presented a damning audit of Halifax Regional Police’s IT infrastructure and practices.
The report highlighted many failures in the HRP’s IT policies, but the most troublesome is related to police accountability. The AG’s audit was delayed so the HRP could implement recommendations from a 2016 security audit. In 2019 HRP’s Chief Information Security Officer Andrew Kozma told the Board of Police Commissioners they had completed 10 of the recommendations and started 40 of the 66 recommendations in the 2016 audit.
The AG’s audit found they had only completed five.
In response to a question from Mayor Savage, Colman-Sadd said the most concerning part of her audit was the fact that the Board of Police Commissioners was given incorrect information on IT recommendations by HRP management. She said that without being given complete and accurate information it prevents oversight bodies from doing their duty. The Board of Police Commissioners, the HRP’s oversight body, would have never known the HRP gave them false information without this AG report.
Her report also showed a hodgepodge of other security and inventory issues in the HRP. An inventory of the police in-cruiser computers revealed some were missing, some were assigned to the wrong people, and one was listed twice. While the audit was ongoing, the software police use to track inventory expired and they had no plans to renew it. On the topic of renewal, maintenance of data centres wasn’t happening because HRP management believed the contract for the maintenance had expired, even though it was in fact renewed and maintenance could have been happening.
The police covert IT system is managed by one person who doesn’t have an IT background, and they do not report to the person in charge of the HRP’s IT. The person in charge of IT didn’t even know the 2016 security audit looked at the covert IT systems until the AG’s office informed them at the start of their audit.
More generally the AG found that HRP didn’t have good plans or policies in place to manage IT risks. And if they did have plans they were often either out of date or poorly enforced. The audit found the HRP has a security classification for information, but no way to physically protect it. They could identify that information was Secret for example but had no policies in place to prevent people from leaving that information on their desk, or leaving the building with it (like Jeffery Delisle), or taking it to a girlfriend’s house (like Maxime Bernier).
In short, I would characterize the HRP’s IT management as a fustercluck, the full AG report is worth the read.
Switching gears, the committee also got a report on the HRM’s third quarter, and it’s looking like the city will have a surplus of $6.1 million.
Neptune Theatre also asked for $100,000 to help them get through COVID and the committee sent it to the budget ‘parking lot’, so Neptune will find out in a month or so if they’ll receive it.
Who said what (paraphrased):
Russell: I was just watching the Mayor’s State of the Municipality which has concluded, so let’s go. We’re going to have a few extra councillors in this meeting for one section of the meeting. For the members of the Board of Police Commissioners, only members of this committee can make motions and vote, but I won’t restrict questions. I’d like to move the financial report ahead of the Police IT audit. Up first, the Neptune Theatre presentation.
Lisa Bugden and Jeremy Webb: *Makes the same presentation as the last time they presented to the Community Planning and Economic Development Standing Committee — They’re asking for $100,000.*
Cleary: *Puts forward a motion to send this to Budget Committee for funding* I think this is worthy of our consideration.
Deagle-Gammon: Your business plan, is there an ask to other levels of government?
Bugden: We’ve asked for and received funding from the province and are in the process of getting some money from the feds.
Deagle-Gammon: What is the ask from the provincial government and feds?
Bugden: Feds are still up in the air, but more than we’ve asked for here. We’ve gotten a total of $105,000 from the province.
Purdy: This would go ‘the parking lot’ to be voted on at the end of the process?
Savage: I don’t see the motion.
Russell: It was from the floor.
Savage: I know Neptune’s been going through a rough time, I would support this.
Smith: The money being asked as COVID relief or a grant?
Bugden: COVID relief.
Smith: We aren’t the level of government that gives COVID relief, so this could set an unexpected precedent and may generate more COVID relief.
M/S/C – Vote – Unanimous – Aye
Russell: On to the third quarter financial report.
Dave Harley: We have a projected surplus of $6.1 million, here’s why:
Harley: The risks (or opportunities) financially are the impacts of COVID-19, transit ridership levels, winter snow removal, and things like the cost of fuel. Councillors have spent $1.9 of $2.3 million of their capital funds. Recreation Areas Rates have a surplus of $1.6 million. We are projecting a $254.4 million in our reserves by March 31, 2021. This is where our capital fund is at:
Harley: Our hospitality expenses are non-existent due to COVID. Here’s what councillors have spent money on travel:
Cleary: The line item for recoverable debt, it was budgeted at $15 million and now it’s $22 million, are we collecting more debt than we expected?
Harley: It’s because of an accounting change due to Solar City, it’ll wash out to zero.
Cleary: We’re loaning more and therefore going to get more?
Harley: Not really, we just changed how we count things, but everything’s still counted.
Cleary: *Reads the motion for agenda item 12.2.1 as written* With the multi-district facilities in parks and rec, what’s our legal obligation to these? I know we changed it recently.
Harley: We’re responsible for funding their deficits, but we also get money from their surplus. We pay or get paid depending on how they did that year.
Purdy: What’s the discrepancy between the district capital funds?
Harley: Everyone gets the same amount of money, but they get it every year and keep their money from previous years.
Purdy: And what’s the acronym NAIG?
Harley: North American Indigenous Games.
M/S/C – Vote – Unanimous – Aye
Russell: Auditor general for the police IT report!
AG: There’s public and in-camera parts of this report, which is normal for IT audits. We only audited things the HRP were exclusively responsible for, not systems shared with the HRM. We looked at semi-covert and covert networks. Our overview is this:
AG: They’re not managing the risks. Their policies are out of date. They didn’t give adequate information on IT security to the Board of Police Commissioners. Most of our recommendations do not require money to fix. Their policies are out of date, and didn’t cover IT issues “you’d expect them to.” The HRP got a consultant report which made recommendations on how to fix IT issues. The HRP presented to the BOPC in 2019 that they had completed 13 of the recommendations. Our audit found they only did 5. There’s not enough oversight into the covert IT systems, it’s not supervised by anyone with an IT background, and the one person who does look after the system doesn’t report to the HRP’s Chief Information Security Officer (CISO). The CISO was unaware of the report on the covert IT system until this audit. The risk management process is bad. Risk assessment hasn’t been updated since 2016. They have no plan to mitigate IT risks. They don’t have good control over access to IT networks, and no tracking of encrypted storage devices.
Ashley Maxwell: HRP need to assess HRM’s IT policies to make sure they’re suitable for the HRP. They need to identify which physical spaces and information are more sensitive. They need a policy for removable media (thumb drives), and they need an updated list of inventory. They have no teleworking policy, they’re using HRM’s policies, but have no idea if it’s working for them. HRM’s policies might not be good enough for privacy for the HRP. They have levels of security classification for information, but not spaces in buildings. (For example, in the military any Secret information was kept in Secret rooms and any information that left those rooms needed sign-off from our chain of command and the people who guard the Secret room.) Data Centres have backup power, but management had no idea the contract was renewed. They didn’t do maintenance because they didn’t know the contract to do so had been renewed. There are no policies around data destruction. There’s no policy on managing removable media (even with one, people can still walk out with info like Jeffrey Delisle. It’s way easier without one though). HRP doesn’t keep track of its inventory. There are inventory lists for the mobile data terminals in police vehicles, but some are missing, some were assigned to the wrong people and one was on the list twice. The software used to track these terminals expired during the audit and they didn’t take steps to renew it. There are no operating procedures to maintain or back up the systems we audited.
AG: There are 12 recommendations with timelines, and we’re going to follow up in 18 months, and we expect 80 per cent compliance, questions?
Russell: There’s no motion for this report, but we can send it to council.
Kent: Your last comment that they’ve accepted the timelines, what’s reasonable? When you check-in, in 18 weeks where do you expect them to be?
AG: 18 months is our typical follow-up timeline. We find that usually 80 per cent of our recommendations are implemented by that time. The timelines I mentioned are ones that HRP management has given us in accepting their recommendations. The best practice for auditing bodies is following up regularly by the appropriate oversight body (BOPC in this case) on a reporting timeline, like quarterly. And then after 18 months we can go in and see if their self-assessment of progress is accurate.
Savage: We’re seeing language we don’t often see from you AG. “Given incorrect information,” “not given adequate information,” “not effectively managing risks.” Can you compare this to your normal audits?
AG: Not being given accurate information, I attach more importance to that. It’s important for oversight bodies to be given accurate information so they can adequately do their duty. That’s why that area was so concerning for me, that they weren’t giving the correct information in July of 2019. I’m pleased to see that management has accepted the recommendations. But it’s not an overly positive result.
Savage: It’s not going to require resources, it’s more of a change of direction?
AG: They don’t need IT infrastructure, it’s mostly updating policies or formalizing processes and documentation.
Russell: You suggested an interim follow up, can we get one from you 9 nine months out?
AG: I didn’t mean my office, I mean the various oversight bodies should require and create regular reporting guidelines. My office should wait the 18 months.
Russell: Let’s go in-camera to get the other report.
*Meeting moves in-camera*
Councillor Paul Russell, Chair (District 15)
Councillor Cathy Deagle-Gammon, Vice-Chair (District 1)
Councillor David Hendsbee (District 2)
Councillor Trish Purdy (District 4)
Councillor Shawn Cleary (District 9)
Councillor Kathryn Morse (District 10)
Councillor Becky Kent, In attendance from Board of Police Commissioners (District 3)
Councillor Lindell Smith, In attendance from Board of Police Commissioners (District 8)
N/A – COVID
Previous meeting minutes and current agenda:
A former Naval Officer turned journalist, Matt Stickland is committed to empowering his community to ensure that everyone has access to the information they need to make their city a better place.
Let’s cut to the chase: The Committee Trawler wouldn’t exist if it wasn’t for the support of our readers, like yourself. Sign up now – and with your monthly contribution (or one-time contribution) you can help us stay afloat. In return, we will give you a say on the content you want to see on The Trawler.