The Nova Scotia Legislature

The House resumed on:
September 21, 2017.

HANSARD

NOVA SCOTIA HOUSE OF ASSEMBLY

COMMITTEE

ON

PUBLIC ACCOUNTS

Wednesday, March 31, 2010

LEGISLATIVE CHAMBER

Government-Wide Technology Information Security

Printed and Published by Nova Scotia Hansard Reporting Services

PUBLIC ACCOUNTS COMMITTEE

Ms. Diana Whalen (Chairman)

Mr. Leonard Preyra (Vice-Chairman)

Mr. Clarrie MacKinnon

Ms. Becky Kent

Mr. Mat Whynott

Mr. Maurice Smith

Hon. Keith Colwell

Hon. Cecil Clarke

Mr. Chuck Porter

[Ms. Vicki Conrad replaced Mr. Mat Whynott for a portion of the meeting]

WITNESSES

Chief Information Office

Mr. Greg Keefe, Deputy Minister

Ms. Holly Fancy, Chief Information Officer

Mr. Wallace Peers, Provincial IT Security Authority

Ms. Connie Michaelis, Director, Corporate IM Program Office

In Attendance:

Mrs. Darlene Henry

Legislative Committee Clerk

Mr. Jacques Lapointe

Auditor General

Mr. Alan Horgan

Deputy Auditor General

[Page 1]

HALIFAX, WEDNESDAY, MARCH 31, 2010

STANDING COMMITTEE ON PUBLIC ACCOUNTS

9:00 A.M.

CHAIRMAN

Ms. Diana Whalen

VICE-CHAIRMAN

Mr. Leonard Preyra

MADAM CHAIRMAN: I'd like to call this meeting of the Public Accounts Committee to order for this morning. We have with us witnesses who are going to talk about the government-wide technology information security, it's really government-wide for Nova Scotia. So I'm sure there will be many interesting questions from all caucuses.

To begin the meeting I'd like to ask the members of the committee and our guests and our support staff as well to please introduce themselves. We'll start with Mr. Smith.

[The committee members and witnesses introduced themselves.]

MADAM CHAIRMAN: Thank you very much. As is our custom, we are quite a formal committee. We'll begin with opening statements, if you have some from your area, Mr. Keefe.

MR. GREG KEEFE: I do, thank you. Good day. Madam Chairman, I am pleased to have this opportunity to update committee members and Nova Scotians on government's measures to further enhance security of the province's IT network. Here with me today are Holly Fancy, Chief Information Officer for the province; Connie Michaelis, Director of Corporate Information Management Program and Wallace Peers, who oversees our IT security. I had to bring staff along because they know the detailed answers, if you need them.

Madam Chairman, we take the issue of network security very seriously, and with good reason. The growth rate of Internet and mobile use continues to increase exponentially. To put this in context, just five years ago government servers received about 28 million spam e-mails in an entire year. We now receive more than that in one month.

1

[Page 2]

In 2005 we received just over one million good or legitimate e-mails. Now we receive just a little under two million each month and on average we block about 2,000 viruses monthly.

Since a security authority staff was assigned six years ago we have not had any instances of inappropriate access to the government network and this information, yet we remain vigilant and continually update the network's protective measures.

As you are aware, we accepted in principle all of the Auditor General's 21 recommendations as outlined in his report of April 2009. Our aim was to complete 25 per cent of his recommendations during this fiscal year. I am pleased to report that we have met this commitment and even surpassed it. Currently we have completed about one-third of the recommendations and have another third, or a little bit more, in the works. In other words, 15 of the 21 recommendations are either complete or underway.

Our approach for tackling this - the issues as identified by Mr. Lapointe - was to identify those posing the greatest risks, those we could implement quickly, and those that needed organization or structural changes. Not surprisingly, our most critical work was putting in place the organizational structure needed to establish the Chief Information Office itself and assign staff, as was announced in April of last year.

The CIO was a central agency and responsible for information and communications technology, and is responsible for network security and information management. By way of background, resources for the office include 184 full-time equivalent personnel, all of whom are now in place, and a $17 million budget. This funding supports staffing, a data centre, security needs, policy development, and operational infrastructure services.

Other key elements of our work this past year included the development of a government-wide technology and information strategic plan, which will be available in the next few months. Of course, we need this plan in place so we can begin security planning for it. We also developed a corporate governance framework into which security governance will be incorporated.

As well, we are designing a new service delivery remodel for infrastructure services so we can determine how to deliver security services like network monitoring within the new CIO model. Our intention is to strengthen the security mandate of the office and finalize roles between security staff and the CIO's newly-minted infrastructure service management group, and we are making good progress.

Thank you, Madam Chairman, and I would be pleased to answer the committee's questions.

[Page 3]

MADAM CHAIRMAN: Thank you very much for those opening comments. For the first 20 minutes of our questioning I'll turn the floor over to Mr. Colwell from the Liberal Party.

HON. KEITH COLWELL: It's wonderful to see you again, Mr. Keefe, and I know you will do a great job at the position you have, based on the work we've done together before. I have some general questions, some of which are outside what the Auditor General found. One question I have is, the government is still using the old Windows program, a very old one, and I understand there are no updates for that anymore, no security updates or anything else. How do you handle that for security purposes?

MR. KEEFE: We are still using Windows XP, which is currently two generations old for Windows, but it is still getting security updates. Actually, before I came over this morning that was one of the things I had to do on my computer. I don't think we'll migrate to Vista. One of the issues with Vista is it is a very resource-intensive operating system and would require us to upgrade quite a few of our computers at a cost, and plus a lot of old hardware simply wouldn't work under Vista, requiring another investment.

What we are hoping to do is move to Windows 7, which isn't as intensive and is a little bit more compatible. We recently signed a three-year agreement with Microsoft just before Christmas to licence their suite of products, and included in that would be the upgrade to the next version of Windows.

MR. COLWELL: That's good. When do you think that might possibly be right across the whole government?

MR. KEEFE: I'm not sure. I don't really have a time for that, because it needs to be planned, staged, and we have other things. One of our first rollouts would be some of the other Microsoft products that we acquired with that suite, including switching over our e-mail products, so it will be staged when the time comes.

MR. COLWELL: The other thing is, this government, of course, deals with a lot of personal information, a tremendous amount of personal information, probably more than anyone else and that's rightfully so. But I'm concerned, there's more and more concern all the time about identity theft. Indeed, if there is any breach of security within the government system, it would be one place that people could get pretty well anything they wanted on an individual from the time they were born until they die and everything in between. What do you do to ensure that just doesn't happen?

MR. KEEFE: I think the easiest answer to that is when we employ new systems, we take our time, we don't try to make quantum leaps. I would love to have far more of our services to citizens available on the Internet, but until we can assure ourselves that we're doing that in a safe way, we have to move slowly.

[Page 4]

All of our new systems, major changes to systems, they undergo what we refer to as a privacy impact assessment. Some folks review the application, they review the business processes, the supporting legislation, with an eye to - are we protecting privacy here, so are we preventing unauthorized access and unauthorized changes. That's basically our process. We are working with national groups trying to solve the issue of putting more transactions for citizens on the Internet.

Every jurisdiction in the country is facing the same issue. So we're working with our colleagues in Quebec, Ontario, the federal government, B.C., to come up with a framework. A lot of the technology for this, as you would see, Revenue Canada, for example, has some great security around their E-pass. It is great, but it's also expensive. So none of us could really afford to go on our own. We're trying to find a way where we can move together, certainly share the policy, and perhaps share the infrastructure.

The second win with that, of course, if we all had the same basic Internet security behind us and processes, then the citizen can not only identify himself to a particular province, could use the same sort of credentials to identify themselves to other governments, which would be a good win for the citizen. So it's progressing, we're not there yet, but it's making good progress.

MR. COLWELL: A year or two ago, I can't remember exactly when, in Public Accounts Committee, there was an issue raised with one particular department and I can't even remember the department, it has been so long ago now, about passwords, security, individuals who had already left government and they still had the passwords to access all the information that they had when they were working there and some people inappropriately sharing passwords. There was also, if I can recall right, a problem with individuals who shouldn't have access, who did have access. How have you resolved that problem or has it been resolved?

MR. KEEFE: Yes, with 10,000 people it's hard. No, it has totally been resolved as you can appreciate, but we do have policies in place such as it's forbidden to share your password. We force password changes on a regular basis - every 30 days, 60 days - depending on the system. When you log in, it will tell you to change your password. It won't let you go any further. We have standards about those passwords so that they're not easy to guess. We are also moving to a single sign-on system, which would make it a lot easier to manage the issue.

You mentioned when people leave. When people leave, there's a checkoff list for what we need to stop: collect their cellphone, cancel passwords. The more systems people have access to, the harder it is to make sure you've got them all. So when we move to the new system, SIM I believe it's called, and we have all but two of our groups of corporate service use already there, then all of that information is in one place so it's a lot easier to suspend all those accesses and make sure you have them all.

[Page 5]

MR. COLWELL: So it is a serious concern. Have there been any issues since that one, one or two years ago, that have come to your attention, that you have since made corrections on and sort of plugged up the loophole?

MR. KEEFE: No, I could go back to my previous role at Service Nova Scotia and Municipal Relations and we did have a few inappropriate accesses by staff, but they were dealt with as part of the performance monitoring and they weren't necessarily related to abusing passwords, it was just staff who happened to access and did something they weren't supposed to do but, no, I'm not aware of any breaches at all.

MR. COLWELL: That's good, I'm glad to hear that. Since your department has been created, have you uncovered more things that you have since corrected that have made it more secure on our computer system so we can tell the people of the Province of Nova Scotia so they feel more comfortable than they ever did with the system?

MR. KEEFE: I don't know if we've uncovered more, but we have taken some steps. For example, during the last year we implemented a security policy on BlackBerries. If your BlackBerry is now attached to our system you are forced to use a password. When you turn it on it comes up and asks you for a password and won't let you go further. The machine automatically times out every 10 minutes, requiring you to put your password back in. That's not very popular; I get quite a bit of pushback on that, but it helps make it very secure, because a BlackBerry can be lost and that way it controls it. Also, we established a 24-hour hotline so if you do lose your BlackBerry, you call that number and if it's still turned on, we can purge the BlackBerry remotely, just wipe the entire memory from it. Those are a couple of examples.

We are also working on laptops for encryption software so the hard drives - they're already always password protected, but this would have a second step, to encrypt all the data. I think we're probably in the RFP stage on that now, and also evaluating the memory sticks that people use, the little thumb drives, again to set up procurement on those so people can buy them so that they are encrypted.

[9:15 a.m.]

One of the issues is there's lots of that stuff on the market, but a lot of it is very complex to use. If you buy something that is complex to use, people will tend not to use it and try to go around it, so we're trying to make something that is both secure but very easy for the user to use, so that they'll use it and we won't have issues.

MR. COLWELL: Well, that's good, I'm glad to hear that, because information is power - it doesn't matter what it is. If you can get it illegally it is even worse because you don't know people have it and you can have more problems.

[Page 6]

I understand there are approximately 10,000 employees who operate computers in the province now. Of those, how many of them are laptops and how many are stationary ones?

MR. KEEFE: I'm not sure. Holly, would you have a guess?

MADAM CHAIRMAN: Ms. Fancy.

MS. HOLLY FANCY: I actually don't have those statistics. I am assuming a majority of them would be desktop computers, although a variety of them may be laptops. I'm not sure, Wally, if you have any statistics - no? We could get that for you, though, definitely.

MR. COLWELL: Yes, that would be interesting to know.

MS. FANCY: We just see them as devices on the network and secure, if they are on the network and we secure them and treat them the same, but we could get those statistics.

MR. COLWELL: I appreciate that, if you could. Is your department resourced with enough funding to do the job that you need to do? I know it's a very complex job that you have to deal with.

MR. KEEFE: I don't think any role in government I've ever had would have had enough funding. I do believe we have our fair share. I believe we have enough. With the creation of the CIO, where we've taken essentially eight different entities and brought them together, we believe we're going to be able to eliminate some overlaps and redundancies. So now we will have two options, then - government may be able to harvest those savings to help them with the fiscal, or they could say no, leave it there, and we would be able to do some more things. So we work at that as we go along but no, I believe we're adequately resourced.

MR. COLWELL: Okay. Your staff that you have presently, you've brought them from all different sections of government?

MR. KEEFE: That's correct.

MR. COLWELL: They've all had experience in this type of security and the work you have to do.

You've talked about the BlackBerries already, and I think that's quite a neat system you've come up with and probably something I should have in mine, too. I don't use it with the government system too much. There was an issue a while ago about ministers in the previous government, to see if their BlackBerries were password protected, and you've answered my question and I appreciate that. That's a positive move forward, I think, because

[Page 7]

especially a minister or a deputy minister has access to pretty well everything that exists, within their department at least.

What about the drivers' licences and records? There were some problems years ago with some theft through the computer system, a glitch in that. Have you reviewed that system to see how secure that is?

MR. KEEFE: Yes, in fact the system was replaced, as you are probably aware, a couple of years ago, with new technology. One of the features that was built into that technology was being able to track reads. We always tracked who created the record or who modified a record. That was tied to the user IDs so if some impropriety was discovered later, we'd know who did this. What we didn't use to track though was who just looked at a record, so now in the new system that's tracked as well. As you're aware, someone just looking at a record could be inappropriate, not necessarily changing it. Yes, that has indeed been upgraded.

MR. COLWELL: What about criminal records? How about those? Any issues with those that over the last couple of years have been corrected or upgrades made in security?

MR. KEEFE: Well, we don't manage criminal records. That's a federal or justice issue but we are increasingly using criminal record checks. Right now, it pretty well depends on the programs, the more sensitive the program the person is working in, the more likely it is to have a criminal background check as part of hiring.

We'll be moving to do that universally as we move along but there are lots of issues we need to deal with, with that. When you get the criminal background check, there might be something on it, but does it really matter or is it okay? There are lots of these different issues we'd have to work our way through. We also had to be aware that even with that, the fact that someone doesn't have a criminal record doesn't mean they're not necessarily a risk because there is such a thing as first-time offenders. That's not the be-all and end-all, we still have to have all kinds of security, HR practices to make sure the systems are safe, but it is an extra step to manage that risk. And we're moving in that direction.

MR. COLWELL: Also with the income assistance records, that's very personal information on individuals. How do you ensure those are protected?

MR. KEEFE: The same way, all access to our systems are user ID password. Our data is stored in central locations, we have a data centre here that's quite a secure facility in terms of physical access as well as electronic access, so they are protected.

There are not a lot of links between systems, that is very restricted, so it's generally the people that are working in that program area that are the ones that have access to the records.

[Page 8]

MR. COLWELL: That's good. You indicated, I think, 15 of 21 of the recommendations of the Auditor General have either been completely resolved or in the process of being resolved. What about the other six? What are the six that haven't been addressed?

MR. KEEFE: I can give you the list, but for most cases there are things that we needed to wait until we had our IT strategy developed and our new governance system in IT replaced and our new organization in place. Once we got those, we would be able to move on, things like the IT security plan, so until we had our new architecture in place, we thought let's get that and then we'll design the plan to support that new architecture. For the most part, they're things that need phasing.

The one exception to that would be the data standards, data classification scheme that was recommended. The reason we haven't moved corporately on that is simply resources. To take a point in time and do it from here on in wouldn't be that resource intensive, but to go back and reclassify the immense amount of data we already have on hand would be very resource intensive. We put that one to near the end, let's get the others finished and then focus on that one.

MR. COLWELL: Okay. How has the government-wide acceptance of your new security systems been? Have you lots of co-operation from the deputy ministers and the staff in the departments?

MR. KEEFE: We have. Obviously you get some complaining because as you increase security, you lower convenience. It's simply that. You have to convince them the trade off is worthwhile.

One of the things, I believe, in creation of the CIO office during our first year was at a senior level, myself as deputy held the title. I'm able to be in the room all the time with my colleagues in meetings on whatever topic and relate how IT security and information management relate to what they're doing, so it increases the level of awareness, increases the level of understanding what the trade offs are. I think that's been a very positive step for us in terms of gathering that co-operation.

Sure, by centralizing all of IT in a way, we've reduced the control individual deputies have over the IT in their departments. They're now getting a service from somebody else as opposed to having the service in the organizational chart. Control to the organizational chart is always simpler than control to a service agreement.

So, yes, they've lost a bit but I think they see what the gain is and they're supportive.

MR. COLWELL: How do you monitor and enforce security on the systems? I mean, if you identify somebody who is not following the rules, how do you enforce it?

[Page 9]

MR. KEEFE: I guess it would depend on the nature, if you were talking about an individual, that would fall to the performance management for their manager to deal with whatever issues they were doing. When it comes to the technology, any new technology attached to the network has to be signed off by Wally, he would review the technology. Does this open any new security holes before it can be plugged in? In our network, you can't just go up and plug something in, it has to be coordinated with the folks who run the system. So that is fairly low risk.

There are risks out there, for example, currently we're undergoing an assessment. We work with the internal audit and they put an RFP and a contract with an external firm to actually try to attack our system to see if they can break in, to go around and see if they can find wireless sites that shouldn't be there and this type of thing. So that assessment is ongoing, just to make sure that we have all the bases covered.

MR. COLWELL: How risky is a wireless site?

MR . KEEFE: I guess it could be quite risky or it could be very solid, it depends on how it is set up and that is the risk with it. I don't know if you use wireless in your home, but when you plug them in, they're fairly wide open. There are several steps you can do, you can turn so that it is not broadcasting and so people won't see it, you can require a pass code that people would have to key in to get access and every computer has what they call a MAC address, it is a hard address, so you can enter those into the wireless point and if it doesn't see that address, it won't let any machine in, so you can crank your security level down.

To the extent that it's user accessible, it creates a risk, because the user could inadvertently or deliberately lower your security on you. So what we're moving to here is essentially managed wireless systems so that option is not available, so that is why we haven't been - except for very limited circumstances - we haven't been allowing a lot of wireless into the system because you would be vulnerable to actions by users. That is how we would protect it. Once it is set up properly, yes, they are quite secure.

MR. COLWELL: Yes, quite secure, but the secret is, properly.

MR. KEEFE: Which is why it needs to be managed separately and installed by folks who know what they are doing.

MR. COLWELL: I hear so many horror stories of corporations being hacked into through the wireless system and it really makes you nervous when you think about it and I'm very nervous, personally, about the wireless system because I don't know how to make it secure and that is the only reason.

What other steps have you taken in that regard to ensure that there is not unnecessary use of wireless systems, let's put it that way?

[Page 10]

MR. KEEFE: Aside from policy - and maybe I need to ask Wally for the particulars - we do monitor the network, as Holly mentioned. We see devices attached to the networks so we can determine what is out there and what hardware is there. I know that the CSU, the group that is serving me where I work, they have technology, they are able to scan the computers and even see what software is on them and tell you, oops, you're not supposed to have that one, that one, you're using Firefox and that is not as secure as Internet Explorer so get Firefox off and start using Explorer. But, Wally, I don't know if you would be able to elaborate on how we can detect?

MR. WALLACE PEERS: One of the things that we do from the individual IT group levels is control the network access itself. So, the ability to plug into the network port with your cable and actually get your wireless working, at this point is limited in most of the areas. They are not completely consistent because they have some different standards on the groups. However, as we merge them all together as part of the new CIO, there will be a common high standard for that.

MADAM CHAIRMAN: Your time has just elapsed Mr. Colwell. So for the next 20 minutes, I will turn the floor over to Mr. Porter representing the PC caucus.

MR. CHUCK PORTER: Thank you, Madam Chairman, and thank you all for being with us this morning. I don't have too, too much and certainly nothing too difficult I don't think, but bear with me.

You made a statement, deputy, I believe it was, enhanced security within the province, great words. What is enhanced? This is a big project and you spoke to some of it. How broad is this? I don't think the people really have an understanding how big this project is.

MR. KEEFE: Yes, it is very big. The big foundation piece was the creation of the office. We had an environment where we had referred to as CITO, Centralized IT Operations, which ran, basically, the wide area network and the data centre. Then we had eight different corporate service units. Each of those corporate service units either served an individual department, if the department was large enough, or a cluster of the departments. So we had people out there, a lot of great people, good people, doing their things and often they were doing it differently. Each of the professionals running those organizations was saying, I think this is the best way to do it and this one over here, I think this is the best way to do it. We felt the time had come that we needed to centralize this, we're getting big enough, we need more control, so we brought those folks together. It's 184 people, it created an organization that didn't exist before with all the levels of management.

So that has taken us a year. We had to put senior management in place, the next level, the next level and then move people around, where do they sit now? Do we have too many people on the help desk and not enough servicing the desktop? Where does all of that balance

[Page 11]

out? So, yes, it was a very big project bringing all of that together. We're pretty well finished that phase of it now, so in that sense it is huge.

The next phase is all the servers and equipment that's out there. Like I said, for the most part our equipment is held at the data centre, a secure facility with backup generators to keep going for power, all these types of things. There are servers that sit out in other buildings, so let's now start consolidating that into the centre.

MR. PORTER: Right. Of the 184 people, are these folks all IT background professionals?

MR. KEEFE: At different levels, of course.

MR. PORTER: That were brought in . . .

MR. KEEFE: They were hired specifically for IT.

MR. PORTER: They didn't come from within the government body to begin with other than a few, maybe like yourself, who were overseeing it?

[9:30 a.m.]

MR. KEEFE: Yes. Some may have come up and gotten appropriate training and so on, but for the most part no, they were hired to be the IT specialists in whatever area.

MR. PORTER: How many users within government, any idea?

MR. KEEFE: Within the Civil Service there's probably around 10,000, in that range. And I should point out our office is limited to the Civil Service Health - all the health boards have their own version, if you will, they have their network and the school boards have their network.

MR. PORTER: Right, and I was going to get to that, too, so we can go to that now. I guess the question really is, the people would wonder, if we have all of this, why do we have more than one? Why isn't there one umbrella? Why does Health have their own thing, because there are issues within that as well? We had them before us a couple of weeks ago. The school board the same way, there are issues, and I think the Auditor General's Report probably spoke to those somewhere along the last few years as well. Why isn't there one? It seems like you're moving, with 10,000 people it's pretty big, as we've just gone through. Do you see, deputy, a time when this all does fall into one?

I don't want to ask the Auditor General, I'm sure he's probably thinking over there now, as well, and maybe he has already and he can offer input if he likes. Would you see that

[Page 12]

as somebody really managing this from one aspect? The IT people probably would, knowing a little bit about some background there and how they like to manage things, they probably would, so I'll give you some time on that.

MR. KEEFE: I think that's where we're headed eventually, it's a matter of time. You mentioned you were looking at the electronic health records so you would have met Sandra Cascadden. I had a chat with her about a year ago, she's essentially doing the same thing across the eight or nine DHAs - I can't remember the number - that we're doing here, trying to consolidate across all of the - so when I first took over as CIO we had the chat, should we try to do both at the same time? We figured, let's not try to boil the ocean. I had a big piece to do here, she had a big piece to do there, let's get those to an end point and then maybe look at it's time to bring them together.

MR. PORTER: It would seem to me that it would make sense if it was all brought under one, you'd all be following the same sort of security measures and any number of things, whether it was something as simple as passwords or some of the other issues. We do have issues within those other areas that seem to be lacking that have been pointed out, whether they're security things or what have you, passwords, who has levels of what and so on. I'll just sort of - maybe I'll go to that, a little bit about inappropriate access.

You say that you're not aware that there has been any within this system and you used the words "performance management" I think, when you were talking about that. Well, those are great words, but what does performance management mean when it comes to inappropriate access? How it's monitored, that's really more of my - you talked about the monitoring being a performance management piece. How do you monitor 10,000 people and how many levels are there of access?

MR. KEEFE: Behaviour of the staff is monitored, of course, by their management, that's what I meant by performance management, all staff having managers and different levels. Just like in any other activity the boss will say, you're doing a good job, you're doing a bad job; do more of that, don't do that. Using the computer is no different. The use of the computer is part of the performance and behaviour in the workplace that the boss oversees, so we don't try to do that centrally, that's just part of managing activities of employees. So it would be their supervisors, are they doing it appropriately? As I said, on systems such as motor vehicles, there are logs that can be reviewed when you get a hint that there's something wrong, to look into after the fact.

On having the one IT system, I think there's another driver that's probably going to take us there, as well as the issues you mentioned and that's simply cost-shared services, we can save money. We're all aware we have a fiscal situation we need to try to solve without reducing too many services to citizens, so there's one way to do it. If we can combine these into one group of shared services, we should be able to deliver the same level of service but do it cheaper.

[Page 13]

You can see other problems as well. We're moving in that direction, we've chatted with our colleagues in New Brunswick, the approach they're taking. They're taking two approaches: one for health, one for everybody else. We've chatted with our colleagues in B.C. to learn how they're progressing and then if we can learn from them how they did it, that should help us to do it faster.

MR. PORTER: Just on that, before I move on, I want to ask a little about the monitoring, a little deeper about the monitoring. If I was the guy who was sitting there and I was trying to go somewhere I shouldn't, I guess is what I'm getting at, by way of access, is there a bell that goes off? I know I came from a world where technology was a huge piece of what we do and if somebody tried to get in somewhere they shouldn't, the IT manager would know that, via some electronic tool that he used or searching back, doing reviews, et cetera. Does that exist within this current software right now? How does that work?

MADAM CHAIRMAN: Mr. Peers.

MR. PEERS: Most of what we have now is log-based, so part of it would be auditing. In the case of inappropriate behaviour and inappropriate access - you mentioned the other systems that we have - that's part of what your managers will be checking, to make sure that if you access someone's records you had a reason for it, you're working on that case file or that kind of thing. We do that as part of Community Services, we do that as part of Service Nova Scotia and those kinds of applications.

Across the broader network, yes, we have a lot of logs, we do audit it, we do look at it. There's always room for improvement but as Greg has said, a lot of those devices are expensive, require time to set up and require resources to run. Part of when we're emerging forward, we're going to improve that capability across government because we now have more bodies. Some of the efficiencies we gain on the help desk, we can move those bodies to more monitoring and more auditing tasks.

MR. PORTER: Thank you and just on that, with 10,000 people it would be very difficult. I was just kind of curious as to - you did mention the logging, I'm familiar with that, how often would you say that is done? Is it a daily thing? Is it a weekly thing, a monthly thing with folks?

MR. PEERS: It would very much depend on the system - on a per application basis almost.

MR. PORTER: Right. And again coming sort of from a background, where I worked for EHS and communications over there, so we always liked to be on the leading edge but not the bleeding edge of technology - that's a very common phrase in that world.

[Page 14]

With Windows 7 and any time that you move forward, there's always an issue of bugs and things that you have to work out, updates and so on, fixes and whatever they call them these days, as you move along, and most of them are pretty simple. How far in advance here - you know, Mr. Keefe, you talked about moving forward to Windows 7, that seemed to be where you were heading, and maybe Mr. Peers will want to take the question - either, it doesn't matter. In something like this, we've already seen some significant issues along the way in Service Nova Scotia and Municipal Relations, I'll just mention, but one of those, for whatever reasons, technology-related, we know what that does to people. They get a little ticked off at times when things are closed, for whatever reason, generally not a big deal. They're usually short a number of hours or a day, or whatever, and with technology these things happen, unfortunately.

As we move forward, how much planning goes into something like Windows 7? If you talk to people on the street, oh my God, don't touch that, or don't touch Vista. Everybody has an opinion, I guess, is where I'm going. So putting aside opinions, now we're talking about the reality of life in the world of technology, how do we decide if we're going to Windows 7?

MR. KEEFE: Well, that's why it needs a significant amount of planning. First of all, we have to run the software, test it in our environment to make sure all the security is patched, it works. We need to check the inventory of all the devices on the network, do these still work or does Windows 7 not have a driver for this printer, it means you need to replace the printer. How about the software you're running, does it all have a Windows 7 version?

It does take time. We're usually several years behind rolling out a new version of the operating system because it is so fundamental and you have to do all of those checks.

MR. PORTER: And you mentioned about XP, I think, here a few minutes ago, about not being supported anymore but XP is just now really at a point where they seem to have worked out the number of bugs as they get ready to move on. XP tends to be working generally fairly well and there are still a lot of users, I'm not sure about whether there are or there aren't but I think you can still get things repaired. I know I do all the time and that's what we use and it has been one of the better ones, although there have been a number of fixes, patches, whatever you want to call them, but that was a question I was concerned about. That's where I was going next. Going to Windows 7, what does that mean? How many things do need to be changed? Are they that significant? Maybe they're not, because it's still a Windows program, things like simple software for moving onto printers, et cetera, so I'm just kind of curious. It's always about money, it comes back to the dollars. How much of an expense are we looking at here to get onto Windows 7? Again, knowing it's going to take however long - they are long, these project plans, there are a lot of details, as you've said. Any idea, although maybe not time- wise, about a dollar figure where we're going here?

[Page 15]

MR. KEEFE: No, I really don't. We would like to do it as transparently as possible. As far as the roll-out we can update a lot of computers from central, you don't have to go to each machine anymore, so the actual process of doing that doesn't have to be necessarily that expensive, but it is the checking and evaluation ahead of time. I just had to get a new machine at home and it has Windows 7. I was quite impressed actually, compared to when I switched over to Vista where I had to throw away two printers, get rid of software, it was quite painful.

MR. PORTER: So through attrition we would move to some of those things as we replaced equipment, I can understand that. I guess the only thing with that then the next question would be, how do you consistently get everybody where you need to be? Here we are partially on this or partially on that. Or do we actually move everything at one time, which I would think - I see Mr. Peers shaking his head no and that would seem reasonable although it's a lot. Again, I keep thinking back to this broadness of 10,000 users, it's only one piece of the pie, there is still the school board, there are still the district health authorities and so on. I guess the answer is, no, we would be generally moving them along, training folks and so on and doing that.

I'll just move right on then, the 184 staff - they are the ones who would be responsible here for all of the training of staff when we move, just for example to Windows 7 or wherever we go - how much training would they need? Would it be very minimal and would those people within the 184 staff be the folks to do that?

MR. KEEFE: No, those 184 folks wouldn't be doing the training. The training, again, would be arranged by the various management in the departments that they need for their staff, probably using the Public Service Commission. If it was a standardized training or specialized training, you'd go buy it on the street. So no, the responsibility to have the training done is with the managers.

You mentioned the motor vehicle system, that was, in fact, one of the issues there where those staff for years had used what we called the green screen technology off the mainframe so there were no mice, very simple systems used. A lot of those staff had never used Windows, certainly never in a work environment. The new motor vehicle system runs on Windows. It was not only a matter of training the new motor vehicle system, you had to train people how to use Windows, but that was done at the operational level as opposed to at the IT level.

MR. PORTER: So just on the training for a second before I leave it, you would contract that out to someone else or it would be done with qualified people who are already within the department. Let's just say everybody's using XP today, we're going to switch next month to Windows 7, somebody of that department has to be trained in Windows 7. You send them, they acquire that training through training the trainer, how is that done?

[Page 16]

MR. KEEFE: Almost all of the above. As I said, it is the responsibility of the management to make sure that folks are trained. We do have the Public Service Commission, they offer a lot of standardized training where there is large demand for a particular training and something like Windows 7 could easily be. Other times though, if it's fairly specialized and you have a smaller group, then we'd go to the street to buy the training.

MR. PORTER: And would those trainers, if they were from within, be working with the implementation of Windows 7 from the IT perspective, the management, the project plan somewhere along the line there as everybody is learning this - I mean, I know that the IT folks tend to be very technical and they plug in wires and this and that and they're all technical-like, but when it comes to the training aspect, would there be somewhere in there that the - for lack of a better term - I guess the IT manager would say, okay, this is how this works, this works and this works over and above what - I mean, you could go on-line and get your software and your training and you could do your thing, but we all know there are always other technical glitches and issues in there that the specialty people who are actually putting the systems in would have great knowledge of. Is there any interaction there or are they just sort of left to figure it out as they work through it?

MR. KEEFE: No, we're always available for consultation and, as I mentioned, as part of the Microsoft suite that we licensed last year, that has on-line training as well, so when we're ready to move to Windows 7, all that on-line training will be built in so you can give people a basic amount to get them going and there's always the Help screen and on-line.

The other thing, a strategy that's frequently used - I know we use it a lot at Service Nova Scotia and Municipal Relations - is we have what we call power users. So one or two people in each area would be the gurus for the system that other staff could go to when they hit something they hadn't hit before.

MR. PORTER: Would we foresee the 184 growing, deputy? Is that a number that works for you? Is it enough? It seems like an awful lot of people, but when you're talking about 10,000 and the amount of work that you do, I think people need to appreciate how much work that actually is and, you know, every little problem that comes along every day, they do exist. Is 184 enough, or would you see that growing as well as - I think you mentioned a $17 million budget that you currently have. I know there's never enough money; you've said that already. I've heard that ever since I've been a member here. It's a regular thing and it's something we all are aware of, and I appreciate that very much but, you know, as we move forward, is it adequate, do you think, or do you need more?

MR. KEEFE: No, I believe it is. I think we're in good shape now. We've actually added a few this year - well, probably in terms of numbers, go away again in a couple of years, simply when we're in transition, we had to put in some management level that wasn't there before. So we added those in, but as we work through the staff down below, we'll be able to eliminate some positions. As I said, we were running, what, eight help desks before,

[Page 17]

which means we had to have enough people to be there early in the morning, later in the evening, cover over lunch hours, sick. So there's obviously some downtime in each one of them.

MR. PORTER: Sure.

[9:45 a.m.]

MR. KEEFE: When you combine them all, you can eliminate some of that downtime and, therefore, be more efficient. So, no, we think we're fine.

MR. PORTER: Great, that's good to hear actually, it's very good to hear. I want to talk a little bit about the organization chart - you talk about the organizational structure of everything. Can you just give us a broad overview of what the organization chart looks like in this whole system? Obviously there's yourself, the deputy. How does it flow from there?

MR. KEEFE: Well, from me it would flow to Holly, and perhaps I would let Holly provide the detail.

MS. FANCY: From the Chief Information Officer position, we then have three major divisions, one being the operations of the infrastructure and the next one being around policies, strategies, standards, architectures, that piece of work as it relates to IT, and then the third division would be the security piece that Wally resides in. So we have three major divisions within the office. The bulk of the staff are in the operations side. So we have approximately 150 to 160 people on the operations side making sure that we're taking care of the security of our network, and then probably 20 or so inside strategies and then security.

MR. PORTER: Great, thanks very much. I know when we all thought technology was a wonderful thing, and e-mails, I'm sure there are probably hundreds of thousands a day that are exchanged within these employees and our staff. Does anybody use paper anymore? I'm just kind of curious, and I'll get to that, but we seem to have created more than - are we moving away from it, I guess is my question, because I know that we're still using lots and lots of paper. When are we moving away from this?

MR. KEEFE: I would love to move away from paper. A colleague of mine, who's probably a little cynical, said when we brought in all these computers, essentially we made a printer available for everybody. So we essentially gave everybody a printing press and expected the paper to go away. I think we're a long way from a paperless world. I think we're starting to reduce it. There are a couple of pieces we need in place. One is we need to update our record standards for electronic records. That's still spotty. Some places have moved to implement that. An example from my previous life, the Registry of Joint Stocks - the electronic record is actually the official record, not the piece of paper, where in most systems it's the other way around. So we're starting to move in that direction, but we need some new

[Page 18]

tools. The software we're looking at, called FileNet, which helps us manage electronic records better, we don't have that fully deployed yet. It's only in a few places. So as we move there - but a lot of people just still like paper. I mean, it's the human thing - it's easier to read it like this than to go find it electronically.

MR. PORTER: It is, and I realize that. Is my time up, Madam Chairman?

MADAM CHAIRMAN: Your time is now up, Mr. Porter.

MR. PORTER: Well, I'll come back to that.

MADAM CHAIRMAN: So you can come back for the next round. I would like to turn the floor over to Ms. Kent, representing the NDP caucus, for the next 20 minutes.

MS. BECKY KENT: Thank you, Madam Chairman, and thank you all very much for coming in. I have to say that one of the first things that comes to mind as we're talking about this is really a sense of complacency, that most users who utilize anything related to technology have a sense that your world is right there. The security around it is so important, but I'm so thankful and comforted that we have strong people like yourselves and your department now to take care of that, and all Nova Scotians would be as well, because when you're utilizing these, whether it be your BlackBerry or your computer at your office or in your home - and our children then have this whole other element of it -. I'm just thankful for that and just want you to know that we really, really rely on your expertise. It's good to hear this information.

It is a way of life for everyone now, whether it's a senior who may not have access to a computer at home, they have someone in their life who is working on their behalf and their information is there in the province that they need to have protected. It affects everyone. I should note to everyone around the security system on their BlackBerry, although I've not lost mine, until you have experienced someone in your life who has lost a phone, for instance, and they say to you, I wish I had that code that you have, then you realize just how important that is. I think it's a great thing. I don't know if you get that feedback very often, but I like the fact that I have mine on my BlackBerry.

I just want to get a little bit of information around the process of setting up our offices, this department and such. I wonder if you can give me a sense of the process that was taken to set up the chief information officer's new office and when was it up functioning. How long have you been operational and are there things that are still left undone to make you completely high functioning at this point?

MR. KEEFE: Maybe I can give you the broad strokes. We did a fair bit of consultation within government, when I was doing this in my previous role, to lay out what this would look like, to take it to government as a proposal to get their approval.

[Page 19]

Moving in, we decided we were going to take a slow, methodical transition plan here, it's the best way to do it. Certainly in talking to my colleagues, they were very concerned that nothing drop through the cracks as we were transitioning. It's fairly obvious to say, today, we are totally dependent on those networks. Those 10,000 staff, a vast majority of them would have nothing to do if the computer wasn't there, so one of the things we couldn't risk was the network going down or an increase in the level of disruptions as we were transitioning.

We took things very step-wise. First we got the management level in place and for a large part of what we did during the last year, even though the office was in effect last April - and if you looked at the organizational chart on our HRS system, you would see all those people moved in under Holly. Well, there were Holly and 106 people, so that doesn't work, they had to put management level in place. So the people that managed them before in the CSUs still continued to manage them for us for the year as we gradually transitioned in.

Let's take the network folks, okay, we got those nailed now. Let's bring in the help desk folks. So we staged it to make sure. I think we're pretty well there. We've been through the union, tech change they call it, where we explained what we're doing. We've gone ahead and created a lot of position descriptions. The people who were doing job A before - we might have a few more or a few less than we needed in job A now. Where do you place them in the new system? There's a lot of work going through. Maybe Holly, you can let us know where we are today.

MS. FANCY: Certainly, where we are today - Greg has mentioned all of the people in their positions so they know where their positions are. Right now we're really heading into a planning stage for just a few weeks, but definitely a planning stage, around refining our service delivery model. So what is this new organization's service delivery model going to look like?

We have all together about 600 service components that we're dealing with here that we're trying to transition, so it's fairly significant from a service perspective to all of the departments. We're looking at defining what our new service delivery model is come April 1st. We'll take over the management of those individuals now that they're in their positions and we'll slowly transition one service at a time into the organization to be managed by the chief information office. So there's a fair bit of looking at the services, trying to determine the leading practices around delivering that, making sure we have some common practices around the operations of IT, and also making sure we take some of those resources and look at the security services. We're always on a continuous improvement road as it relates to security. So we'll still be transitioning for another few months but it will be one service at a time. The reason why we want to do that is because we want to manage the risk so we want to continue the service levels, what they are, as we move through transition.

[Page 20]

MS. KENT: Thank you very much. I'm still trying to connect how your governance model, which I think you hit on a little bit, how that then translates into addressing the concerns around security and IT. Could you offer a little better understanding for me than that?

MR. KEEFE: We have, still being drafted, a new governance model because we're not the whole picture as we've talked, we've got 180 people who essentially run the network and manage security but it is also the activities of all those users out there that impacts security as well. So in the past and still for now, we have a deputies committee called a BTAC - Business and Technology Advisory Committee. It was a committee set up by Treasury Board years ago, that allows us to work horizontally, to try to measure, to manage those issues.

Staff have come up with a replacement for that, a series of committees. There's three of them, I can't remember - security, infrastructure and so on. So that's where staff at the operational level tend to get together to manage all these issues and then we have an escalation process, so if they can't agree, and this will often happen, you know professionals will have differences of opinion on the same topic and you need to resolve it. So we have an escalation process that comes up to eventually the deputies committee for that to be resolved and a decision made.

So in addition to the office itself, there are these series of committees that straddle government business as well as IT, to manage the issues as they emerge. I'm not sure if that answers your question.

MS. KENT: It does, it's helpful, thank you very much. Again, as a person who utilizes IT all the time, but I recognize that I am by no means an expert in it and I appreciate that I don't have to be, frankly, as you probably appreciate that you don't have to be what we do, an elected official.

We hear terminology like wide area network, one, can you just help me understand, in layman's terms, what that is, we reference it. Mat is telling me he would tell me but I would rather hear it from you, quite frankly, although he's a good support for my BlackBerry.

MR. KEEFE: Well the wide area network is essentially the infrastructure and the pieces of hardware that connect our computers from Yarmouth to Sydney. So basically in our network there is not a whole lot of difference. If you log on in the office in Yarmouth or you log on in an office here in Halifax, you are in the network.

We don't own it all, we manage certainly a lot of the servers and the computers but a lot of the wire itself is outsourced, if you will. We go to tender and Eastlink runs most of it now. It has been Aliant in the past. They bid, we run over their cables. That, of course, is encrypted - something leaves our server, it is encrypted, it zips down their wire, it hits our

[Page 21]

server, unencrypted. So while it is in their network it is encrypted, it is not visible to anybody.

It's very broad. It's a series of computers that run up a data centre, service computers on your desk, as well as Eastlink's and Aliant's infrastructure around the province that we also leverage. We don't run all our own cable around the province.

MS. KENT: Okay, so on that, it is safe to assume there isn't a policy associated to that. How would a person find out more about that policy or have a copy of it?

MR. KEEFE: Well, we do have a policy. It's part of the government management manual, you will find it on the Treasury Board Web site for use. The management manual, I believe, it is in Section 300 but it would be there - yes, Section 4.8, there it is.

MS. KENT: Can you update me on the status of the review of that? We've got it, we're using it and part of the audit or part of anything is to review it, is it functional. Could you update me on the status of the review of the one and as it is associated to the threat and risk factors.

MR. KEEFE: One of the issues pointed out in the Auditor General's Report that we hadn't reviewed that policy in a fair while, so since then that has been done. We've revised the tools and processes we use to do that evaluation, based on current best practices.

I should mention that our staff, just like every other program in government, we meet regularly with our colleagues. There are national groups for just about every area of government you can think of and security is no exception. Wally sits on one of those groups so we share best practices. I can't remember the initials we're using for the latest one but we have come up with some new methodology for evaluating. We've done the evaluation of the data centre. So it is progressing. I don't know if we can tick that one as totally done, but we're very close.

Also, as I mentioned, we thought as an extra step, is not just that we got the policy and the tools in place, what we still need to know, well, are they being used and effective? So that's why we went to internal audit and asked, can you guys arrange to have someone external to us test our system to see if this stuff is actually working and can you also see if we have wireless where it shouldn't be, try to hack our system, go ahead, boys, come after us. So by doing that they'll be able to tell us if we have any weaknesses. That's not done yet, but so far it's not looking too bad so I'm not too nervous of the end report, but even still, even if it does uncover some things, that's a whole lot better than not knowing because if we don't know the problem is there, we can't fix it.

[Page 22]

MS. KENT: So is there a plan within the chief information officer's processes that ensures that review or that independent assessment will happen at a certain rate or time frame or is it whenever it just comes to light?

[10:00 a.m.]

MR. KEEFE: Yes, well, again, this is the first time we've done this in awhile. One of the things we're going to ask internal audit to do, when they're finished this and they have their evaluation, based on what they've discovered, based on their assessment of the risk, is advise us as to how often we should be doing this and who should be doing it.

MS. KENT: Madam Chairman, at this point I would like to offer some time to my colleague, Mr. MacKinnon.

MADAM CHAIRMAN: Mr. MacKinnon, please.

MR. CLARRIE MACKINNON: It's great having you here this morning because I, too, am not that technical and it's great having you around every day. One of the things that I would like to zero in on is the 184 employees. Now, those personnel, some of them were actually transferred from other departments and there were a number of new people who have come along. Can you explain the hiring practices? Your report also looked at the security check on new employees and there was a real concern there. Can you just go into the hiring practice and elaborate on that a bit as well?

MR. KEEFE: For the most part our hiring practices would follow the standards set by the Public Service Commission for any employees anywhere in government. Perhaps I could ask Holly to elaborate.

MADAM CHAIRMAN: Ms. Fancy.

MS. FANCY: Yes, certainly we align ourselves with the Public Service Commission and the policies that they have in place for fair hiring practices. As we looked at the hiring that we were going to do inside the Chief Information Office, we held competitions for the new management of the organization. So there were competitions that were held within government to create that new management structure and for the professional staff we worked with the Public Service Commission as well as the unions in order to transfer all of the staff from the nine different organizations within government that we were bringing staff into to make sure that we were fair in placing people in the correct positions based on their current duties and duties that they would be performing within the Chief Information Office - so competitions for management and placement for professional staff.

MR. MACKINNON: But looking at the security background checks, what percentage, or how many of the 184, would have to this point received those checks?

[Page 23]

MS. FANCY: Certainly, what our approach has been is that if security checks or criminal checks were being undertaken, they were being done at the program level. So previously within the departments, if a program and this IT person was working in a specific area that they required a check, that would have been done. So we've just transferred them in as is. What our approach is going to be is any new IT personnel that we would bring into the office, from here on in we would go through and align ourselves with the Public Service Commission guidelines around criminal checks.

MADAM CHAIRMAN: Mr. Keefe, would you like to add to that?

MR. KEEFE: Yes, perhaps I could add a bit of clarification - I wasn't sure we were clear in the beginning. Basically, what we operate in the CIO is the infrastructure everything runs on. The applications that departments use - whether that's the motor vehicle system, the income support system, the electronic medical record - they are still managed at the department level, so they do the development on those, they do the support, and when Holly mentions that it is program dependent on the level of checks because that is where a lot of the real risks are - it is not necessarily the folks running the hardware or the help desk, but it's folks that are running those major applications where all the data is. So those are outside of our office. Whether they will stay outside forever, I don't know, but that is how we set it up now. We left those well aligned with the business, because they serve a particular business need in the department.

MR. MACKINNON: The member for Preston talked about the laptop scenario and you indicated that you would supply us with the percentage of laptops as opposed to fixed computers. I have a concern, and you have addressed part of this already, but are there a number of government employees out there with laptops that aren't on the network that do have sensitive information on them?

MR. KEEFE: There would be some. Certainly, we have a lot of government employees who work in the field; they don't necessarily work in an office. I am not aware of all of them, but it certainly wouldn't surprise me at all if some of those folks had laptops and some of them would have data on there to enable them to do their job. Like I said, it has been our policy for a long time now that laptops are password protected, that you would need a password to start it. We need to ramp that up a bit; we need to enhance our security there a bit, which is why we're moving to encryption software on the hard drives so that the hard drives, in addition to being password protected, are encrypted - so if somebody manages to get past the password, all they have is encrypted data; they don't have clear data. So we recognize the risks, we're concerned and taking steps to raise that to the next level of protection.

MR. MACKINNON: Another area that has been touched on as well is the wireless end of things, and certainly in my own office, which is adjacent or very close to a medical office, sometimes going on mine, at one point, I was being served by the medical clinic just

[Page 24]

across the street as well. I know in New Glasgow, for example, there are people out in front of the library, sometimes early in the morning, actually getting on to the library's system and so on. So just go in again to the security involved here with wireless, or the lack thereof in some cases.

MR. KEEFE: That is why we need a corporate solution. There are, sometimes, legitimate needs to have folks be able to anonymously connect to your network. I'll give you an example, in our Access Centres we have some self-serve kiosks where people can sit down and do their own thing. So obviously, they need to be connected to the Internet to get their work down, but those are outside the firewall of our network. Same thing with wireless - sometimes you need people to be able to hook up to the wireless when you do a presentation in a room. There are different reasons. So you need to be able to control not only access to the wireless, as I mentioned before, where if it is a critical piece of equipment you need the passcode and MAC IDs locked down and these types of things. Also, if you need a wireless that needs to be accessible, then it has to have proper firewall protection behind it so that it is not part of our network - it is connected to it, but outside the core.

MADAM CHAIRMAN: Mr. MacKinnon, your time has just elapsed now. There will be another round of questioning. I have allowed 12 minutes for the second round of questioning, and we will begin with Mr. Colwell representing the Liberal caucus.

MR. COLWELL: Again, network security, and as my colleague was just indicating, on the laptops. That's got to be very difficult to control and to monitor. What steps have you taken to ensure that security is indeed there when it needs to be there?

MR. KEEFE: Well, as I mentioned, when laptops are issued, they are set up to be password protected, they have virus detection software on them, and they have firewalls on them. That has been in place for a while.

Our next step is to start using encryption software and perhaps I could ask Wally to update exactly where we are on that. I know he is doing a lot of evaluation as to what works and I believe we are at the RFP stage but Wally might be more up to date.

MADAM CHAIRMAN: Mr. Peers.

MR. PEERS: Sure. For the desktop encryption we tested a number of products internally with IT. We came to a decision on one that worked best with our systems about mid-February. We issued their FP and right now they're sitting on my desk just waiting for me to pick the winning vendor.

MR. COLWELL: So it's well underway and well in hand. I'm going to ask another thing here. There has been a lot of discussion over a number of years about the SAP system and a lot of controversy, whether it is secure, whether it is operating properly, everything

[Page 25]

under the sun. I think some of the concerns are very legitimate. Do you control the security in the SAP system or is that done by the contractor that is supplying it?

MADAM CHAIRMAN: Mr. Keefe.

MR. KEEFE: No, I believe that would actually be done by our Core Competency Centre. Yes, there's a centre within Finance that operates the SAP system for us and all the users, which are numerous, so they would look after the security around the SAP system. They are in Finance, they are a division, a section within Finance, the CCC - Core Competency Centre, and that's where that would be managed.

MR. COLWELL: Everything else has been merged pretty well in government, except for that - you have security?

MR. KEEFE: No, we didn't make the CCC part of the CIO. It was considered, but again, we're trying to take this in bite-sized chunks to avoid taking on more than we can accomplish, so it was identified.

There are a few other places - Geomatics, for example, up in Amherst, where they basically manage all the geographic information about the province, mapping, these types of things. That could easily be a candidate to move in.

We've identified records management. A lot of what we're talking here comes under information management, a broad umbrella and the records, as was mentioned in the report and that has come up a few times this morning, that's a big piece of this, too. So we have identified that as being part of the Chief Information Office and we'll be transitioning that some time in the next fiscal year. It currently resides in Tourism, Culture and Heritage. We'll be moving that and that will be the next step.

To look at CCC, I'm not sure what the timing would be, but it would be on our radar at some point to evaluate - okay, do we bring that in as well.

MR. COLWELL: So, how far away do you think before you'll have all these under one roof, where they really should be, and have the expertise really? I'm not saying the other departments don't have the expertise, but you have broader knowledge based on why you were there, just basically why you're there. How long before you think you're going to be able to take in all the rest of these departments, operations and departments?

MR. KEEFE: I suspect it would be measured in years. It will take some time but one thing that could change that, as I mentioned, one of the reasons you do this centralization is to get the added security, to get the added standards. The other reason to do it, though, is to save dollars. So if this is targeted as an area where we can save some dollars to try to address

[Page 26]

the fiscal situation, then perhaps we might be able to get the investment or some funding necessary to make the change a little bit quicker.

Right now we're trying to move along with our current operational funding but if government decides no, we want those changes, we want those savings in two years, well then that would give us some investments, we would actually be able to accelerate that level of change.

MR. COLWELL: Yes, and ultimately save money long-term, substantially. Back to the SAP system again, and I know you can't comment on security because you don't look after it, unfortunately, but I think it would be nice to have an organization outside of that to ensure that system is secure because from what I've heard from all avenues, there seems to be a serious problem with that software, continuously costing us a fortune to maintain it, upgrade it, you name it. I don't even want to think of what the cost has been for it so I would think there would be something that maybe the cost-saving could really be, for the security part of it at least, transferred to you sooner than later. Have you any views on that?

MR. KEEFE: No, although the SAP system is a very large system and, as you pointed out, expensive. The reason you go to a system like that, enterprise software, is to try to eliminate all kinds of pockets of software that were there before. So the business case is looking at the total costs of ownership across the whole broad spectrum. But one of the things about applications like SAP, it has basically been designed from looking at a lot of the best practices around the world, what organizations do, and we're no different when we employ it, we try to tweak it to our business practices. When really, to take the best advantage of software like SAP, you take your practices and modify them to the software, because it has already been designed to be a best practice. So one of the initiatives we have going on in finance now is to do exactly that. Let's start moving to a more SAP process rather than our own that were there before and try to modify SAP. That will simplify our environment, simplify upgrades and reduce the costs you've been talking about.

MR. COLWELL: That's a good move. I'm glad to hear that. You also mentioned that you've gone to your wide area network with Eastlink now over Aliant. What did that save the government by doing that?

MR. KEEFE: I don't know. I'm not sure.

MADAM CHAIRMAN: Mr. Peers?

MR. PEERS: The number was in the millions and there was also a side benefit as well. Not only do we pay less, we're also getting kind of like the next level up of bandwidth, if you will, we have the next order of magnitude, faster connections to all our sites, things like that, more overall capacity, if you will. It got cheaper and we have more capacity out of going with the contract the way we did.

[Page 27]

[10:15 a.m.]

MR. COLWELL: Whoever negotiated that contract did the right thing, it sounds like.

MR. PEERS: They did a very good job, yes.

MR. COLWELL: That's good to hear. It's good to hear some good things that have happened in government instead of always - when we move forward, there are so many things that need to be corrected, let's put it that way, in the process.

As you go through the security process, are there some benchmarks you look for? Do you go into each department and look at each - for instance, if you went to a particular department, is there a whole pile of things you go through before you set it up and you start handling their security? What's the process you use to identify the problems, eliminate the problems and then bring them up to the standard where they should be if, indeed, there is a problem?

MS. FANCY: Certainly there are industry best practices that we look at and we make sure that we're adhering to those industry best practices, as well, the work we do with our wide area network security policy and making sure that the policy is up-to-date and in line with industry best practices and making sure that departments are adhering to that policy.

On a more grounded level, any new system that is going to be brought on to the network is reviewed by the security authority and has to be approved by the security authority, and it would be reviewed against industry best practices and our policy before it is allowed on the network. As well, the security authority would also provide advice to departments that are building new applications as to what the best security models would be to build into those.

MR. COLWELL: As I mentioned before, there have been some security breaches in the past that have been highly publicized and I'm sure there have been some that definitely haven't been publicized and that's fine too. How do you ensure, once you've set the structure in place and everything is in place, internally - I appreciate you did hire outside the firm and I think that's a good idea - how do you police that and say, okay, this has been in place, now how do we make sure that this is happening?

MR. KEEFE: Yes, a lot of that work would take place, as I mentioned, just as part of managers doing their day-to-day duty. One of the things that the Auditor General's Report pointed out - the report focused on the governance as opposed to the actual activities going on and in our distributor system where we were weak, as was pointed out, we never had the systems in place to be able to answer that question that you just asked and that's the reason we need to put the IT governance, and all of the other tools that go along with it, in place.

[Page 28]

I'm quite confident a lot of it, indeed, was happening in each of the various pockets where the control is, but it's the process, it's the reporting and so on that you've just asked about that we need to put in place to make sure we can assure ourselves at the top that it's happening there in the field where it needs to happen. We're getting close to getting that finished with our IT governance model that we hope to have approved and signed off in the next month or so and get that working and then we'd be able to start getting the level of reporting on oversight that you've asked for.

Right now we're very largely dependent on the folks that are out in the fields to make sure they are doing that and I have no reason to believe for the most part they aren't, but that's why we need the governance model as was pointed out in the Auditor General's Report: to make sure that we can assure ourselves, more than just believe, that our good folks are doing a good job. Let's have some objective evidence that they're doing a good job.

MADAM CHAIRMAN: Ms. Fancy.

MS. FANCY: In addition to what Mr. Keefe has talked about, we also are looking at the wide area network threat risk assessment process, and we've taken that process and we've updated it. We've also looked at a tool that will help us implement that process, and so we've put that in place and we're currently just beginning to execute that threat risk assessment on the wide area network. So that will indeed help inform whether everyone is adhering to the standards, and will provide some monitoring of that and a really good look at what the threat risk assessment is and, in turn, the results of that will help improve the policy work and also ongoing processes of monitoring.

MR. COLWELL: I believe, as you do, that we have a lot of really good managers out there, and I think probably if there's an issue, it's not because they haven't tried. It's because maybe they're not up to date or haven't had the opportunity to get up to date. What are you doing in that regard to ensure the managers who are actually policing this on the ground are going to get that training?

MS. FANCY: Certainly we're looking at enhancing this and creating a security awareness program for employees across government, but also within the Chief Information Office we have training plans. So the IT, the subject matter experts - we make sure that we have the appropriate training for the individuals who are working in operations and with security, that they're kept up to date, because as we're all well aware, technology is changing very, very rapidly. So we do have training plans within the office but are also moving towards a security awareness training for employees across government.

MADAM CHAIRMAN: Your time has elapsed now, Mr. Colwell. I'm going to turn the floor over to Mr. Porter for the Progressive Conservative caucus for 12 minutes.

[Page 29]

MR. CHUCK PORTER: Twelve minutes, thank you. I shouldn't take too much of that time, I don't think. I want to go back to where I was, just on the paper question. Although it's got some humour in it, it was really meant to be somewhat serious, because it is an issue for us. We're often looking at how we're going to recycle better and things like that, and cut down on such usage, but it seems that ever since we've been in this, everybody does print their e-mails off. So you still have the cost of paper, the cost of cartridges, and so on and so forth, but in the last couple of years especially, again, as technology evolves, things get better. There are these wonderful things you can buy, you know, these backup devices now, and they're really not expensive if you compare them to the cost of paper. What you can buy - I don't know what you call it, a Tbyte or 1,000 gig or whatever it is now, you can store all your things on it. I know we're using it in my office for that reason - to try to eliminate the paper, the scanning and all of these things. Are we moving to any of that? Have we moved to any of that in any of these departments, by way of strictly trying to keep things electronic and getting away from - the misuse of paper is not the right word, but another way, you know, to be more efficient and a little greener?

MR. KEEFE: Yes, there may well be different pilots going on in different departments. That would largely be driven from the business side as opposed to the technology side, but I agree totally with what you're saying. In my own case, people actually prefer to read something on a screen. I do quite a bit of that and I use one of those small drives, as you mentioned; again, it's an encrypted device. I copy files from work and I add them to my laptop and I use that device to make the connection, so I always have my files with me on that laptop. It is encrypted. Long before Wally was ready, we went and got software for myself because I recognized the risk.

So there would be folks like myself who are starting to go down this road, to figure out what problems does this cause if I happen to document electronically rather than on paper, and there would be different pilots around government. Essentially we've done - the Executive Council over there would probably generate more paper per capita of staff than anywhere else in government. It's very intensive and we're trying to move away from that, too. We started doing things at meetings rather than give everybody a piece of paper. We're flipping it up on the overheads ahead of time, even a document - a text document, not just a presentation- so all folks can see it on the screen rather than all have their copy. So we're trying to move to areas where we can get without the paper. I believe until wireless is a lot more prevalent and people are used to using things like tablets or laptops where they can access their paper wherever they are. It's going to be difficult to get totally of that world, but I believe we need to move a lot more to that world. Paper has a cost as well.

MR. PORTER: A huge cost.

MR. KEEFE: The cost of buying, storing, disposal - it has a cost, all the way.

[Page 30]

MR. PORTER: Yes, it's not just that original cost and that's what I'm getting at. People think you just go out and buy the bundle of paper and that's it. There's so much more to it than that. I realize and appreciate it's difficult to read on screen, but with the ability to enlarge print and put those things over your screens to make it easy on the eyes and so on. I was just kind of curious with that many users whether we were, at some point, going to head that way. It's good to hear that maybe we are, I think that others will get there as well and maybe some have started.

Just quickly on the wireless piece, how many users do we have of that 10,000 if any, what percentage would be wireless users? Any idea?

MR. PEERS: Currently, very, very few. As Greg mentioned earlier, we've been restricting the use of the typical wireless access point that you'd go out and buy at Future Shop, that kind of stuff, in favour of rolling out the corporate solution.

At this moment, there's only at most a half dozen wireless access points that are authorized for that kind of use, that would actually be used for government. It would only be about a few dozen users at most.

MR. PORTER: Are you comfortable with the security of that?

MR. PEERS: Yes, we've had security specifications for a long time for it.

MR. PORTER: Right on. Thanks. Just a bit on the recommendations from the Auditor General now. What do you think, in your opinion and being the manager and the overseer of this project, were some of the most important recommendations as far as you're concerned? I realize you're working on all of them, have completed some, but what did you see as some of the most important here?

MR. KEEFE: I thought the creation of the CIO office itself was quite important, that's the foundation piece to help make the rest of them happen.

The COBIT methodology that was used, it was nearer to what we were working towards anyway, but it's not so much as government framework as a list of checks to make sure - if you have all these in place, then you're probably pretty good. Using frameworks like that to help make sure you have all the bases covered and I believe that the government's model that we'll eventually get in place here with these various escalation pieces. With trying to get a lot of the day-to-day work of the government pushed down a bit from the top where you find people are pressed for time and don't always make enough meetings to get that - lowering the organization decision-making down there so that things can move along and the more senior levels are available when there is a problem or something needs to be resolved.

[Page 31]

I would say that's where the basic pieces are. I've always felt our system's in good shape from a security point of view, but as discussed earlier with Mr. Colwell, we had no objective way of demonstrating that, as the Auditor General pointed out. Until we get these things in place, we don't have a way of proving what we believe and so it's necessary to have that.

MR. PORTER: Thank you. Just quickly on the time frame, you've completed some, what would you say is the time frame for the balance of the ones you're working on?

MR. KEEFE: The end of the fiscal year coming. The only one that might not be done then is the document one, as I mentioned. From here on forward, to have a categorization on documents is one thing to implement, to go back through the literally millions of documents we have and re-categorize those would be another thing all together.

I suspect we'll start on the here forward and then try to come up with some kind of a plan for going back. I could draw on my experience from Service Nova Scotia where we went into this, Registry of Joint Stock Companies, for example, and put that on-line. Actually we were one of the first ones in the country to have that on-line, it was back in the mid 1990s. We said from here forward it would be electronic, we never bothered any archival records.

Things like the land records, for example, where access to those records are a lot more prevalent. We had to put a process in place to go back and scan, so we had dozens of people working for a long period of time scanning book after book after book document so that it's all on-line, so it would make it more functional.

I suspect our classification scheme would be somewhat similar - what records is it really important to go back on and what other ones can we say, let's start today and work from here forward.

MR. PORTER: You've been around government for a couple of years and I'm being kind, have you checked with other jurisdictions? How do we size up? How do we compare? We'll just use our own country obviously, but how many jurisdictions and how do we compare where we're at?

MR. KEEFE: I think we're very good. Different jurisdictions emphasize different things, but we're in there with all of them. We can definitely hold our head up in terms of what we've been talking about here today.

Like I said, we meet regularly with them. It isn't so much a competition as can we bring all of us along together. Obviously different jurisdictions have different capacities for doing that, but thankfully for Nova Scotia, some of the more wealthy jurisdictions are willing

[Page 32]

to share so we are able to leverage their work, but I'd hold my head up with any province in the country to where we are.

MR. PORTER: That's good to hear. Just lastly I'll go to the folks that leave us and I guess we used to refer to them as exit interviews. You talked about you get back their BlackBerry, cell phone, or whatever, and passwords. During that, is there anything in place that says where they need to sign off. They're obviously aware of their access to a number of things, important things in a lot of departments, do they sign off on anything, that I understand the consequences of trying to hack in or actually accessing? That's the first part of the question.

The second part is, could they actually go out and do it, as a former employee, access the system from an outside venue?

MR. KEEFE: It would vary by departments as to who signs off what on an entrance or exit interview, so I wouldn't be able to say how universal that is. No, once you are outside our LAN - when I'm here I have access to lots of files. One of the frustrations when I'm home, even if I came in over the Internet, I can't get at those files because I am outside the firewall. So even if they still had their motor vehicle ID, for example, a clerk after they left, no, unless they can get access to a computer inside our network, it is still limited.

[10:30 a.m.]

MR. PORTER: All right, thanks. And Mr. Peers, if I could confirm, once they leave - I know when I left where I was, the IT manager goes in, everything is wiped off anyway, my access is automatically denied, I couldn't get in, even if I logged back into the system, unless I was given back that access, I couldn't get in anyway. I'm assuming it is the same here.

MADAM CHAIRMAN: Mr. Peers.

MR. PEERS: Yes, that's correct, if you're part of the single sign-on system, or duty management system, it's tied to payroll so the minute HR says you're not getting paid any more, it kills all your accounts.

MR. PORTER: Thanks very much and thanks for being with us today.

MADAM CHAIRMAN: Thank you, Mr. Porter. And Mr. Preyra, for the NDP caucus, you have 12 minutes as well.

MR. LEONARD PREYRA: Thank you, Madam Chairman and thank you, Mr. Keefe, and the team you've got here. I am very much more encouraged now, after listening to what you are saying. After reading the Auditor General's Report, there were a lot of concerns about how information was being protected.

[Page 33]

I want to go back to a question about the Department of Education and the Health Board and their involvement, or engagement, in this process. As I read the Auditor General's Report, I hear him saying that we need common policies, we need practices, we need standards about hiring and compliance and all that, but there isn't a demand there for one big system. There might be an argument in health care, for example, where you're dealing with very deeply personal information, or in education where you're dealing with vulnerable individuals, to have these firewalls or have these systems develop different conventions about access, but it is not necessarily saying everyone should have access to that type of information.

Really what it is that the Auditor General is saying is that we need common practices, we need best practices right across the board. Is that a fair understanding of that recommendation?

MR. KEEFE: Yes, I would say it is a fair understanding. You mentioned medical records which, undoubtedly, are one of the most confidential records we have. But the minute I say that, I think of our records at Justice, records at Community Services, so even when you look at the classification of our data - I am sometimes of the view, let's just treat everything as it needs and stay at that standard and why bother dropping it lower for anything. I have a fair bit of confidence in the people of Health, that they certainly understand the need for privacy and protection around those records. I know they are extremely challenged by the fact that to do the service they really need to do, that citizens want, they have to start allowing different people access to those records.

It's a challenging world, they have to balance the two, so your pharmacist can see it, your doctor can see it, your X-ray technician can all see the pieces, so that's a tough one.

As I mentioned, I believe we will come together at a point but we have a big job to do here, not only in terms of the infrastructure piece we're dealing with, but also in terms of the electronic health record, the electronic medical record. Those are massive projects to manage and if you put too much on people's plate, something is going to drop through the cracks. So, to my way of thinking, I'd love for them to get near the end of that process before we try to do more mergers.

MR. PREYRA: Thank you, Mr. Keefe. The awareness of these security issues, and privacy issues as well, is important to all government employees. More specifically, just as a follow-up, the Auditor General says, "We observed instances in which government IT security policies are not being complied with. There have been insufficient numbers of threat risk assessments performed and inadequate security training for computer users." I guess that is where that question is coming from.

What is the Chief Information Officer doing to ensure that all employees of government are properly aware of these security and privacy issues?

[Page 34]

MR. KEEFE: One of the pieces that we haven't got to yet, one of the six of the 21, is the security awareness training. For some, we felt that was a little bit lower risk than some of the other issues that were raised, primarily for two reasons: one, there is a limited number of things that a user can actually do to the desktop to make it less secure. The network enforces the fact that the virus software is running, the systems are updated with security patches, firewalls are in place - the user has no control over that stuff. So the level of awareness that we need to make them aware of is just not necessary, because the system does it to them whether they want it or not.

Also, in a lot of these areas, whether it is a medical record or a motor vehicle record or a birth certificate, the staff in those areas are already very much aware of the need for privacy, the need to challenge people who are asking for access, whether the record is on the

computer or whether the record was on paper. So there was already a lot of awareness just by the program people of what they need to do their jobs.

Should we crank it up a bit more? Of course, especially with some of the new technologies that were alluded to here a minute ago, when someone mentioned the technology that their kids are using - the Twitters, the Facebooks, the blogs. This stuff is coming at us as well, and there we're going to need a much higher level of awareness of the social engineering type of attacks that can take place.

So, yes, we will do it. It is on our list, but that is why it is a little further up the list than some of the other things which we thought were more urgent.

MR. PREYRA: The Auditor General also said, "Planning for IT security is not adequate. We identified the need for an IT security oversight committee, corporate IT security charter and corporate IT security plan." This is an issue that keeps coming up. He is recommending the creation of an IT oversight group. Can you explain or tell us what the status of that recommendation is, and where we're going to go with that?

MR. KEEFE: Yes. Those are, again, in the pending pile. The reason they were there is we felt, well, two, that we needed the office in place. We're working on our IT strategy and our architecture, so once we had those finalized - and they are very close to finalized this fiscal year - then we will be able to do the security plan to apply to that architecture. Also, until you had the governance in place - the governance is a necessary piece of developing an oversight of the standards. So it was more of a sequencing issue, but that is why they are still pending and we will get to them in the coming fiscal year.

MR. PREYRA: Okay, one last question before I hand it off to my colleague for Antigonish. The Auditor General says, "Practices for monitoring and enforcing compliance with corporate IT policies and standards are not adequate," and he was talking about the development of infrastructure service management. What types of resources do you have, and

[Page 35]

where do you see yourself going with that recommendation? How would you respond to that?

MR. KEEFE: Well, staff has already mentioned that there are some tools we can use to do that. It is actually built into the system, but yes, the security authority currently is one person. There are security people in each of the CSUs and each of the sites around, but Wally is essentially a one-person office, which isn't enough, I don't think.

So as we start working through building the organization that Holly was mentioning, we are sure, we're confident that we're going to be able to free up some people to be able to assign to this task as well and, therefore, increase the level of monitoring that we have there. So we're moving toward it - we're not there today, but we're moving in that direction.

MR. PREYRA: It is quite remarkable, then, that we have so few incidents, if none, in the last six years, but thank you.

MADAM CHAIRMAN: Mr. Smith, you have five minutes.

MR. MAURICE SMITH: I guess what I wanted to say is that I'm just a recent BlackBerry user, and when I got my BlackBerry I was told that I had to have a password and I just assumed that was de rigeur, and so it came to me very easily, using a password. Maybe that's the way to approach it for people who are coming on, just tell them that's the only way you get one, so it's not a hardship in that sense.

One of the things that you talked about was the 24-hour number, do you have that number? I'd love to have it, if you lose your BlackBerry. (Laughter) Is it possible to get it?

MR. KEEFE: I don't know it at the top of my head, but we'll get it for you.

MADAM CHAIRMAN: I think we all would like that.

MR. SMITH: One of the things you said at the beginning of your talk is, Mr. Keefe - and I didn't get it down - you said there were a number of viruses that are addressed every month and did you say a couple of thousand?

MR. KEEFE: A couple of hundred thousand.

MR. SMITH: A couple of hundred thousand viruses and we have had no intrusion?

MR. KEEFE: No, because the system is set up to stop those. There is hardware, firewalls, software, there is fire detection software and it is very strong, very powerful and so it searches every piece of e-mail coming in before it lets it to go to the e-mail service.

[Page 36]

MR. SMITH: Where do these things come from? I really don't know.

MR. KEEFE: Oh, just from all over the world. I would personally or professionally never hook any device to the Internet before it had virus protection. The world is just full of it out there.

MR. SMITH: Is it just, like I'm going to say, young kids trying to be mischievous or who is doing this, why are they doing it?

MR. KEEFE: There would be some of that, some of it would be organized crime or criminals period, whether organized or not, trying to get your data, trying to discover your credit card number or your password for your on-line banking.

MR. SMITH: So these are hackers, basically?

MR. KEEFE: Somewhat, although different people use the word hacker differently but yes. Criminal I think is the word. (Laughter)

MR. SMITH: Okay, we talked about the security issues that you told us that are there, are there security issues that - I'm trying to think what else might arise that you would have to be prepared to deal with, what other kinds of security issues?

MR. KEEFE: It would be someone trying to get access to information. For example, I believe Mr. Colwell mentioned earlier that government had very rich data holdings that people could misuse if they got hold of personal information, so that could be someone trying to break in to find information. There would be lesser, for example, the Registry of Joint Stock, which is a public database, we have had people there try to write scripts, to do repeated requests to the system so that they essentially download the database, so they can use it for marketing or something. So you put in things to prevent that from happening and if you get too many requests too quickly, you know somebody is trying to steal your data and you stop it, you drop the connection. So there are all kinds of reasons.

MR. SMITH: So, we have had no intrusions in six years?

MR. KEEFE: Yes, that's correct.

MR. SMITH: You're doing everything right then, obviously. I think somebody needs to pat somebody on the back, because if that is the case, in six years and, as you said, all of this is developing as rapidly as it is and you've been able to handle it as it comes along, then congratulations and thank you for that.

MR. KEEFE : Thank you.

[Page 37]

MR SMITH: Those are the questions that I have, Madam Chairman.

MADAM CHAIRMAN: Thank you very much. Are there any other questions from any of your colleagues, no. Thank you very much. We are just about on time, as it is. So I would like to thank our guests and actually turn the floor over to you, Mr. Keefe, if you have any final comments that you would like to make to the committee?

MR. KEEFE: No, I don't have too much. I would like to thank the committee and thank you for your interest in this. Just to address comments quickly at the end, that we haven't had any intrusions. I should just mention that the Auditor General's Report, as it was scoped, did not particularly look at the state of our IT security itself but looked at our governance and planning around it. So where we were weak was making sure that we were standardized across the system, we were enforcing and not necessarily that the security was not in place.

What we're moving toward here now is making sure that we can demonstrate to folks that it is in place. But the vast majority of our staff is very conscientious, a lot of them joined government because they believed in the programs that they were working on. So it greatly lowers the risk of the types of intrusions or misbehavior that you talk about. Now I'm not saying that everyone is perfect, that's not the case, but it's generally the culture. You talk to folks who work on these various programs and privacy is foremost in their mind, it is what they do, it's second nature. So, in some ways, it's an easy group to work on to promote security and privacy.

That's not to say we shouldn't be doing what was identified in the Auditor General's Report. We believe we should and we need to take it up a notch, but I just want to recall that what he said was weak was our governance, not necessarily our security. Other than that, thank you and I appreciate the time here this morning.

MADAM CHAIRMAN: Thank you very much and I'm sure we've all learned a lot this morning on a subject that's important to us but maybe we don't know the technical side of it very well. I had written down three things that you've committed to bring to us. One was a comparison on the number of laptops versus the number of desktops we have in the system of 10,000 users and a list of the Auditor General's recommendations, the six. You did say you could give us just a rundown on the ones you've done and the six that are ongoing and, finally, the 24-hour help line. Again, I know all members will be interested in getting that too. I didn't know such a thing existed.

With that, I thank you very much and I know there's a lot more work to do in the coming years as you continue to centralize all of this work for the government. Thank you very much and we'll see you again at a future date. For our guests, we have some committee business, so if you'd like to leave you're welcome to leave right now, thank you.

[Page 38]

For the committee, there are three items on our agenda that relate to committee business. The first one is a letter we've received back from the Pictou County Health Authority, which would have followed up from our meeting on H1N1 and how they had been looked at as part of the Auditor General's Report. This correspondence, if you've had a chance to read it, looks at the number of deaths. Apparently we asked about the number of deaths in Nova Scotia, on average, compared to the national numbers and they haven't made it specific to Capital Health or Pictou County. They seem to have taken a national figure from 2005 so if that does not satisfy the committee member who might have asked for that, do let me know. I think that answer has come back from Health Promotion and Protection, so that's the first thing.

[10:45 a.m.]

The second one is a report back from our Subcommittee on Agenda and Procedures which did meet last week - we actually met on the 10th, that's right, last week was March break - we met on the 10th and were able to formalize the numbers of who's coming. What's interesting to note is the numbers that are confirmed and the dates that are confirmed, so I'd like to draw your attention to that. We have a number of weeks confirmed, one tentative and then two more confirmed.

Of interest to all the members is that the Auditor General's next report, which we receive twice a year, is coming on June 2nd and we had agreed to make it a single meeting as we did last time. This is not the norm but it is at the request of the Auditor General that in this case he's available on that day and not the week after so we are certainly accommodating the Auditor General's request in that to say we'll have a three-hour meeting on June 2nd. Are there any questions around the report that is before us today?

MR. COLWELL: I so move the report.

MADAM CHAIRMAN: Thank you very much, Mr. Colwell has moved that. (Interruption) Just moving the full report, that's all. This is coming to the full committee, just so we've officially accepted it.

Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

Thank you very much. That's good and that information is there.

At the bottom of that report you'll notice that we would like to schedule another meeting of the subcommittee for April 7th and that is so that the full committee can endorse the items that have been brought forward on the 14th. That allows a couple of weeks for us to schedule May because although we now have a good number of topics coming forward,

[Page 39]

we still have nothing in the month of May. Again, to help our committee clerk and move forward, we'd like to ensure that we have another opportunity, so we're not done yet, keep thinking of new items to bring to that agenda-setting committee.

The third item on the agenda relates to how we set our agendas and we have had a request to put that as a discussion item today before us. Mr. Colwell, did you want to address that?

MR. COLWELL: Madam Chairman, I've been a member of the Public Accounts Committee for a number of years. Usually when the subcommittee makes recommendations it's an all-Party issue, it's done in camera and when it comes to our committee, it's accepted with maybe some minor adjustments to it. But it seems that now when the subcommittee meets, we come back with a set of recommendations from the subcommittee and the people that were actually at the subcommittee meeting are arguing about the topics. So I would like to see the subcommittee eliminated. It was set up in 2003 by Graham Steele, who was the chairman at the time, and Danny Graham for the Liberal Party and Jim DeWolfe for the PC Party, and it was to streamline the operation of it so it didn't take the time of the committee to do this.

Now, I think things have changed since then. We all agree that we should go to a more open and public process. I think there's not anything that needs to be done in agenda setting of our committee that needs to be in camera. I think it would be a much better use of time if the whole committee would set the agenda and move forward - it had been done prior to 2003 - and make it very open so people and the public can see exactly what we're doing and, indeed, eliminate the problems we've had in trying to get dates set for people to come. I know how difficult that is sometimes because you've got to work around other people's schedules to get these things done.

So I'd like to make a recommendation to the committee that we eliminate the subcommittee and set the agendas from now on in the open, in public, and move forward with this so we can get these agenda items set and if they're not set, we can hear the arguments from the different Parties. We may argue against an agenda item at some time but at least it's in the public forum, it's there. When the committee decides on it, it's done and there's not another debate when it comes back to the committee from the subcommittee. So I move that.

MADAM CHAIRMAN: So, Mr. Colwell, that's a motion then that you're making at the moment? Yes.

MR. MACKINNON: I would second that.

MADAM CHAIRMAN: Okay, so that's seconded, very good. Mr. Preyra.

[Page 40]

MR. PREYRA: I'd like to speak to that, Madam Chairman.

MADAM CHAIRMAN: Yes, I expected we'd have some discussion.

MR. PREYRA: I just want to go back to the last two meetings. As you know, we objected on a point of principle essentially that the Agenda and Procedures Subcommittee was functioning in camera and was making all kinds of decisions that were not becoming subject to discussion, debate and public scrutiny at this committee. So, you know, those two objections that we had related largely to that principle that it's important that these discussions and debate take place in public, not necessarily because the committee won't ratify those decisions. Of course, you know, when you've got representatives of the Party talking about the agenda, you would expect that recommendations coming forward would have at least some support.

The point was there was no discussion or debate at this committee, especially what happened at the last meeting where an Agenda and Procedures Subcommittee decision - I use the word "decision" - recommendation was presented at the committee as if it was something that had to be approved and was not subject to discussion and debate. So we agree very much with that principle that those discussions, even though they could take place in camera, had to be subject to ratification and public discussion and debate before they were approved. So we support the principle of this recommendation.

MADAM CHAIRMAN: Mr. Porter.

MR. PORTER: I just want to clarify something. I've been on this committee since 2006. We have met in the subcommittee and, to my knowledge, there were always recommendations made and nothing that couldn't have been public - good debate, good discussion, all Parties were involved, as they are now. I don't recall a point in time where we ever brought a recommendation back to this full committee that there wasn't an opportunity for discussion. So I would disagree with Mr. Preyra's comments because we always brought that back and there was discussion if discussion was required.

The other thing that we did is we took it back to our caucuses for discussion, hence the reason for the subcommittee, to save some time and agree on witnesses that we felt were appropriate to come before us. I don't recall a time when anyone was ever shut down for making a comment from any chairman - yourself, Ms. MacDonald was there prior to you - in my time, where discussion couldn't be had and decisions were made.

I think I would have to go back in Hansard to look but there may have even been opportunities where changes were made from those recommendations that were put forward. So I think that was always done anyway and certainly we could check the Hansard to make sure but I don't know that we ever - well, no, I will say I don't ever recall any debate in camera being any kind of secretive debate that wasn't open and then discussed later, the same

[Page 41]

debate basically, within the full committee. Anyway, I just wanted to get that comment on the record because I think it's appropriate to make it. Thank you very much.

MADAM CHAIRMAN: Thank you. I think going back to the original intent, it was simply to streamline our meetings that we hold and it was, as Mr. Colwell has suggested, a suggestion from Mr. Steele when he was the chairman of this committee. I believe Mr. Smith has comments and Mr. MacKinnon. So I'll start with Mr. Smith.

MR. SMITH: The only comment I wanted to make is that, because I'm new to the committee, I've been provided with some materials, background materials, about Public Accounts Committees and how they're set up and how they function and the rest of it. One of the recommendations or one of the suggestions is that, in fact, there would be an independent agenda-setting subcommittee of the Public Accounts Committee. So when you say it goes back to Mr. Steele setting it up, I guess that seems to be best practices in other jurisdictions as well.

I'm just noting that seemed to be what was suggested was the right way to go but now if there's a motion to change that, that's fine.

MR. MACKINNON: Thank you. I just want to go on record as very strongly supporting the member for Preston on this issue. Certainly the history is not all that relevant when we're moving forward in the light that he has put forward. I think we're moving into a good, transparent process and I strongly support it.

MADAM CHAIRMAN: Mr. Colwell, do you have any final comments?

MR. COLWELL: Yes. I'm glad to see there is support for this. I think it's going make the committee more transparent and indeed make it work better. It'll give the clerk time to book witnesses in so we don't hold any of our meetings up because of procedural wrangling. I think it would be better, too, for the public to see exactly how we pick agenda items and the rationale behind choosing those. I just appreciate the support from the committee members.

MADAM CHAIRMAN: Mr. Preyra, a final comment?

MR. PREYRA: I would like to comment on that. I would like some clarification from Mr. Colwell. I'm assuming that by this motion the agenda itself will be subject to approval by the committee prior to any deliberation by the committee.

MADAM CHAIRMAN: Mr. Colwell, can you clarify your intent?

MR. COLWELL: The intent is to, as we have done in the past, I think it's appropriate each caucus would bring topics forward like we would do. We would discuss them in an

[Page 42]

open forum and each caucus put forth their argument for whatever they want to bring forward and then we would choose items based on those arguments and those would then be the agenda items. Then it would be left up to the clerk to try to arrange times for those people to come that we can get the people and schedule lots in advance so that we're not holding up the business of the committee to ensure this happens.

I'm sure that all the members of the committee share that opinion. They want to make sure the committee sits as often as possible.

MADAM CHAIRMAN: Is that clear, then, Mr. Preyra?

MR. PREYRA: No, that's not clear at all. We would like to get some greater clarification about the agenda which is presented to the full committee, how it will be arrived at and whether or not that agenda would be subject to approval before it's discussed.

I guess what I'm asking is whether or not the standard committee practice in most committees - both in government and outside government - will be followed, which is that the first item on the agenda will be approval of the agenda itself.

MADAM CHAIRMAN: If I could try to clarify it, as I understand it, the motion is to do away with the agenda-setting subcommittee, Agenda and Procedures Subcommittee, which is a deviation from where we've been and also from where the CCAF has suggested. But it will address some of our difficulties in terms of the need or the desire that's been there to rehash a lot of it in the full committee. If we're going to have the discussion in the full committee, we'll get rid of the agenda-setting subcommittee and meet as a full committee to look at the suggested topics from each of the three caucuses and then to adopt an upcoming list of witnesses.

We'll do it, all of us, all members of the committee, together. It will be one session with all members. I think that is what's done in many of our other committees. Mr. Porter and then I'll go to Ms. Kent.

MR. PORTER: It seems rather simple to me, I guess I think about other committees. I think a list would be forwarded to the chairman from each caucus, as is the case on other committees, and we would go one Party, second Party, third Party, et cetera, and back around. Whether you did that once or twice in fairness, bringing forward recommendations for witnesses that would appear before the committee and we would choose.

For example, the NDP, the government, would say we would like to have Group A come in and they would be okay, great, then the Liberals, the Tories, et cetera. It would be advantageous to probably do at least two rounds of that, to have six witnesses at a time ahead, until the desired date we weren't going to meet through the summer, whenever our final date was. That would thereby make it considerably easier, I would think, for the clerk.

[Page 43]

She could certainly speak to this, but I know it would make it easier. It does in other committees, to move forward and book those folks in, then that would be behind us.

The only difference would be, instead of going through that process in the subcommittee, it would be done in the full committee and the discussion would be here in full committee and that's the process that is generally used, I believe. Others can speak to it but in most other committees that I sit on that is generally the practice. Thank you.

MADAM CHAIRMAN: If I could add to that, I believe the practice would be we would then vote as a committee on the list at the end of that meeting, just as we do in the subcommittee when we recommend to bring it forward to this committee so there still would have to be a vote taken to endorse those subjects that are presented. Ms. Kent.

MS. KENT: Because I'm not familiar with how that rolls out in the subcommittee, I'm wondering, is there an opportunity for an understanding or perhaps a list of topics that will be discussed or will be put on for approval in advance that would give us as a - you, know, we realize the importance of the need for these subjects to be brought forward but there is a responsibility of each of us representing our caucus to have some input from our caucuses. Is there a way - or perhaps the suggestion would be that there's a list provided ahead of time of suggested topics that gives us at least a week to have some dialogue with our caucus members, our colleagues, to have input on the decision of confirmation of whether or not it's going to be on our agenda, is there an opportunity for that?

MADAM CHAIRMAN: For the last agenda-setting subcommittee meeting I had asked that the caucuses provide lists by Friday for the following Wednesday when we met, so I would ask the same this time that each of the caucuses - we're planning to have this meeting on April 7th so if each of us could have a list of subjects that you'd like to present as upcoming topics, if we could have those by Friday to our clerk, Mrs. Henry, then that could be circulated to the other members.

[11:00 p.m.]

MS. KENT: Right, okay, that was my question. As long as that list, which would be the Opposition caucuses in our case, and you as well would want to see what we're recommending, as long as we have that opportunity ahead of time. I guess what I'm asking today is, would that be a matter of practice, not just specifically the next one that we're talking about now? If we change to the method of bringing it to this committee, would it be a matter of practice that we will always do that and have that opportunity to discuss with our caucus the topics that are potentially on the table?

MADAM CHAIRMAN: My understanding is yes, I think that's the most efficient way . . .

[Page 44]

MS. KENT: That's the intent.

MADAM CHAIRMAN: . . . so that you have had a chance to be acquainted with what is coming up from the other three, or all three caucuses really, and that leads to the best discussion and makes the best use of our time.

MS. KENT: Good, I think certainly from my perspective and what I'm hearing from my colleagues that we're comfortable with that, thank you.

MADAM CHAIRMAN: I will have to say we'll have to add an extra length of time on after our witnesses next week and in any subsequent meeting of the agenda-setting group. It will be our full committee meeting separately to do that. Mr. Preyra, before I call the vote.

MR. PREYRA: Can we then be assured that committee business will be conducted after witnesses have been examined?

MADAM CHAIRMAN: There is no standard for that. The only reason it was changed last week was because we were really in a bind about setting the meeting for this week and next. That was why we did it, so that Mr. Keefe could be here and there was time during the meeting to assure ourselves of that. But I've been assured that it really doesn't matter which way we align it, it's not circumscribed by any rules.

MR. PREYRA: But can we expect a commitment from the chairman that committee business will be conducted after the witnesses have been examined?

MADAM CHAIRMAN: As long as there's no exceptional circumstance, that is our standard practice. But I make no apology for last week, because we had our back to the wall in terms of getting a meeting this week. If there's an exceptional circumstance then I will use my judgment and we may change that but as a general rule, yes, I would like to continue to have our witnesses first.

MR. PREYRA: Thank you, Madam Chairman.

MADAM CHAIRMAN: If I could, I'd like to call for the vote on Mr. Colwell's motion. The motion is to eliminate the Agenda and Procedures Subcommittee that we've had and I would suggest we see how that works.

Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

[Page 45]

I thank you for your co-operation with that. So we will be meeting April 7th. We have the Pension Regulation Division here and we will allow time at the end of that hour for our agenda setting, thank you very much.

The meeting is adjourned.

[The committee adjourned at 11:02 a.m.]