Review of Transport Canada’s Cybersecurity

Internal audit report outlining the results of the Review of Transport Canada’s Cybersecurity.

On this page

• Background information
• Review objective and scope
• Review approach
• Findings structure
  • Governance
  • Resource management
  • Risk management
  • Monitoring and reporting
  • Other findings
• Appendix A – Review criteria
• Appendix B – Recommendations and Management Action Plan
• Appendix C – Statement of Conformance

Background information

The Review of Transport Canada’s Cybersecurity was included in the 2024-25 departmental Risk-Based Audit and Evaluation Plan (RBAEP) as a carry-over from the previous RBAEP.

With new technologies opening new vulnerabilities, the Department is facing increasingly complex challenges when it comes to protecting the confidentiality, integrity, and availability of the information that it creates, stores, processes, transmits, and archives.

The acceleration of digital transformation, especially the hybrid work model, requires the realignment of security initiatives to address the adoption of hybrid work, mobile devices, and cloud services, and to continuously manage emerging cybersecurity risks.

The Treasury Board of Canada Secretariat (TBS) has developed the Government of Canada Cyber Security Event Management Plan (GC CSEMP) to provide an operational framework for managing cyber security events.

In July 2024, TBS, the Communications Security Establishment, and Shared Services Canada (SSC) jointly developed and released the Government of Canada’s first Enterprise Cyber Security Strategy to define the GC’s vision and strategic objectives and enhance the security and resilience of government operations against cyber threats.

Unlike most Other Government Departments (OGDs), Transport Canada (TC) has both an internal-facing role and an external-facing one when it comes to managing cybersecurity.

One part of the organization, under the Services and Digital Group (SDG), is responsible for addressing internal cybersecurity requirements common to all OGDs.

Another part, under Safety and Security (S&S), oversees cyber requirements for critical transportation sector infrastructure and related industrial control systems.

A high degree of collaboration is required between the two groups to manage distinct yet interconnected cybersecurity risks.

Many groups are involved in promoting awareness of cybersecurity to protect information assets against internal and external threats:

• The Cybersecurity Team, in the Enterprise Solutions Directorate (ESD) within SDG, supports TC’s internal cybersecurity-related activities (e.g., providing cybersecurity advice and guidance, developing security standards, collaborating with partners such as Departmental Security, the Government of Canada Cyber Incident Response Team (GC-CIRT) and SSC).
• The newly established Intermodal Surface, Security and Emergency Preparedness (ISSEP) team, within S&S, works with the modes / programs across TC to support the Department's role in transportation sector-focused cybersecurity incidents.
• Other groups are also involved, such as Aviation Security, which provides cyber awareness for industry, and the Innovation Centre, which explores cybersecurity risks for autonomous vehicles.

Review objective and scope

Objective

The review determined whether governance and an effective management control framework are in place internally to support sound cybersecurity practices across TC.

Scope

The review examined how the Department manages cyber security risks internally from January 2024 to April 2025.

The scope did not include a review of the Department’s external-facing role in the management of cybersecurity risks in the transportation system, which will be addressed in future internal audit work.

Review approach

The approach included interviews, document reviews, and data analysis.

Several frameworks were reviewed to establish the criteria for the review, including Information Systems Audit and Control Association (ISACA)'s guidance on cybersecurity, the COBIT framework, the Institute of Internal Auditors (IIA) Cybersecurity Topical Requirement and the Canadian Centre for Cybersecurity’s guidance and audit program.

• These frameworks enabled the review team to concentrate on high-risk areas where TC can improve its cybersecurity management.
• Additionally, they ensured that no critical areas were overlooked during the review. For example, the new IIA Cybersecurity Topical Requirement 2025 mandates Internal Audit functions to evaluate the design and implementation of cybersecurity governance, risk management, and control processes, which were considered throughout the review.

Review areas

• Governance – Structure, roles and responsibilities
• Resource management – Financial and people
• Change management and patch management
• Tools, systems, and technologies
• Training and awareness
• Monitoring and reporting
• Risk management
• Communication

Details on the review criteria are available in Appendix A.

Findings structure

The findings are categorized into two groups.

1. Areas that require improvements. Internal Audit provided details on achievements, findings and has made recommendations, for which the Office of Primary Interest (OPI) developed a corresponding Management Action Plan (MAP):

• Governance
• Resource management
• Risk management
• Monitoring and reporting

2. Areas where Internal Audit has not identified major control gaps and for which we have not made recommendations. The OPI did not need to develop a MAP:

• Change management and patch management
• Tools, systems, and technologies
• Training and awareness
• Communication

1. Governance

Overall finding

The GC’s Enterprise Cyber Security Strategy states that each department is responsible for its departmental cybersecurity management to help ensure safeguards are in place to protect programs and services against cyberattacks. TC leverages its existing governance bodies to oversee some cybersecurity-related activities. However, a department-wide cybersecurity strategy has not been developed to plan, govern, and engage groups in managing cybersecurity.

Achievements

Different groups are leveraging the existing governance structure to oversee some cybersecurity-related activities.

• Various groups utilize different governance bodies, such as the Assistant Deputy Minister (ADM) Security Committee, Modernization and Innovation Committee (MIC), TC Executive Management Committee (TMX), and Departmental Audit Committee (DAC), to present their cybersecurity-related work for input and guidance.

The SDG Cybersecurity team is developing a Cyber Roadmap to strengthen the Department’s security posture. This initiative presents a valuable opportunity to integrate the findings and recommendations from this review, fostering greater collaboration among all groups and enabling TC to manage cybersecurity proactively and strategically.

The SDG Cybersecurity team has started to collaborate with ISSEP to clarify roles and responsibilities and avoid duplication.

Findings

A department-wide, integrated cybersecurity strategy that reflects the Department’s distinct yet interconnected roles in managing cybersecurity has not yet been developed.

• The SDG’s Cyber Roadmap is under development and not yet available for review.
• TC’s Departmental Security Plan (DSP), which should be reviewed annually, has not been updated since 2022 (it is currently being updated by the Departmental Security Office); it does not include a departmental cybersecurity component. The GC’s Enterprise Cyber Security Strategy requires each Department to ensure that the Departmental Chief Information Officer (CIOs), the Chief Security Officer (CSOs), and the Designated Official for Cyber Security (DOCS) collaborate to implement GC cybersecurity priorities and activities within the broader departmental security plans.
• In addition, the Business Continuity Plan (BCP) has not been updated since 2022. As per the current DSP document, it should be updated periodically. The BCP is essential for restoring and protecting TC’s data, programs, and critical services following a cyberattack.

The collaboration methods to engage and coordinate departmental groups are not formalized, which could lead to coordination efforts becoming inconsistent or fragmented.

• Given the involvement of many groups in cybersecurity, confusion over roles and responsibilities occurred in the past (e.g., confusion over the response procedures to a cyber-attack on a marine port in Toronto in 2023).
• SDG put in efforts recently to coordinate and engage internal stakeholders, e.g., S&S and SDG co-hosting a recent TC Next event centered on Cybersecurity awareness; SDG coordinating with S&S, Programs, and the Policy groups in the horizontal review specific to the cybersecurity processes.

Even though the Departmental governance structure has been leveraged from time to time, there is no formal forum for consistent cybersecurity oversight and information sharing.

Recommendation 1

The Chief Service and Digital Officer should lead the development of a department-wide, integrated cybersecurity strategy that reflects the Department's multiple roles in managing cybersecurity, aligns with the GC Enterprise Cyber Security Strategy and leverages the work underway on the SDG Cyber Roadmap. The department-wide cybersecurity strategy should:

• Outline collaboration methods for all groups involved in cybersecurity and specify how the Department will oversee activities such as resource management, risk management, performance monitoring and reporting.
• Establish a formal forum where cybersecurity oversight and information sharing take place, potentially leveraging the existing governance structure. Examples for consideration include:
  • Periodic TMX meetings dedicated to cybersecurity;
  • Establishment of a Level 3 committee focused on cybersecurity, with representation from SDG, S&S and Departmental Security to bring together groups managing cybersecurity;
  • Information sharing and discussion at the ADM Departmental Security Committee.

2. Resource management

Overall finding

SDG’s cybersecurity team is fully staffed and has received dedicated funding for its activities. However, there is a lack of clarity regarding resource needs for cybersecurity from a departmental perspective.

Findings – Financial

Annual dedicated funding for core operations and additional pressure funding were allocated to support the SDG Cybersecurity team. Notably, starting in 2024-25, the team has been allocated an investment project fund specifically to address risks identified in the 2023-24 Integrated Departmental Risk Profile (IDRP).

However, from a long-term planning perspective, it remains uncertain whether there will be funding for ongoing investment in cyber-related projects over the next three years and if the pressure funding will be available.

Findings – People

In the absence of a department-wide cybersecurity strategy that outlines priorities, it is difficult to effectively plan supporting resources and competencies.

• The Cybersecurity team has indicated that it is difficult to recruit and retain experienced cyber professionals. There is no career path nor a competency framework, and training needs are self-identified by employees.
• Several groups within SDG have highlighted the need for cybersecurity expertise to support their programs and applications. This requirement was also identified in TC's recent Horizontal Review, conducted by the Finance and Management Services Group. The review recommended establishing a Cybersecurity Centre of Excellence to harness cyber skillsets for achieving multi-modal outcomes.

Recommendation 2

The Chief Service and Digital Officer should identify the resources (financial and people) required to implement the Cyber Roadmap and the department-wide cybersecurity strategy.

3. Risk management

Overall finding

The cybersecurity-related risks are identified by stakeholder groups but are managed in silo within their respective areas. There is no systematic ongoing monitoring and reporting to help ensure effective risk mitigation actions are implemented.

Achievements

Two cyber security-related risks “Cyber and data security threats” and “Cyber Security Incident” were identified in the 2023-24 IDRP with respective risk mitigations; key risk indicators were identified and tracked.

The latest DM-approved 2025-26 key departmental risks include “Cyber and Data Risk”, which is owned by the Chief Service and Digital Officer.

The SDG Cybersecurity team developed the TC Cyber Security Event Management Plan (CSEMP) based on the GC CSEMP to manage operational-level risks, which includes escalation processes and Standard Operating Procedures for incident management.

The SDG Cybersecurity team has presented cybersecurity status updates, including risks and priorities, to various governance bodies (MIC, TMX, and DAC).

Findings

The GC’s Enterprise Cyber Security Strategy requires departments to ensure Departmental CIOs, CSOs, and the DOCS work collectively to ensure that departmental cyber security risks are managed in a manner that supports the management of the overall cyber security risk posture.

Although various groups have implemented risk management processes to manage cybersecurity risks, the Department lacks an integrated risk management approach that effectively coordinates these various processes.

• The current DSP lists the groups responsible for managing cyber-related risks but it's unclear if these risks are being managed effectively. The DSP was last updated in November 2022.
• The current departmental key risks for 2025-26 approved by the Deputy Minister show one cyber-related risk under the responsibility of the Chief Service and Digital Officer. At the time of reporting, it is too early to see how the department will be mitigating this risk as the risk responses are under development.

Recommendation 3

The Chief Service and Digital Officer should develop a risk management framework to ensure continuous monitoring and mitigation of departmental cybersecurity risks, leveraging the ongoing work of the Cyber Roadmap.

4. Monitoring and reporting

Overall finding

SDG has implemented monitoring and reporting of operational metrics; however, comprehensive performance metrics for department-wide cybersecurity activities are not yet established.

Achievements

The Cybersecurity team uses various metrics to measure, monitor, and report cybersecurity performance. These results are presented to various departmental governance bodies and focus on operational aspects such as phishing campaign outcomes and patch management.

The Departmental Plan for Service and Digital (DPSD) is used to report annually to TBS, including a self-assessment of the Department's Cyber Security Management across key operational areas.

Findings

SDG is currently monitoring and reporting on operational metrics, e.g., phishing campaign and out-of-country device usage.

However, strategic aspects are not captured or monitored, e.g., overall attitude toward cybersecurity within the organization, management commitment. Metrics related to strategic objectives would provide important insight on the overall management of cybersecurity in the Department.

Recommendation 4

The Chief Service and Digital Officer should develop performance metrics for TC's cybersecurity activities as part of the development of a department-wide cybersecurity strategy. The metrics should consider:

• SMART performance measures to ensure cybersecurity activities are effectively monitored and reported.
• Strategic metrics such as security culture (e.g., overall attitude toward cybersecurity within the organization, management commitment).

5. Other findings

Change management and patch management

• There is a robust change management process in place. There are also clearly defined roles and responsibilities and documented procedures. Most of the patching is scheduled and automatic.
• SDG collaborates with different program areas to plan and apply updates and patches for Program area applications.

Tools, systems, and technologies

• All tools, systems, and technologies for security are bought centrally for all GC departments. The GC mandates the use of Microsoft tools. TC has limited control over these tools, systems, and technologies.
• The Cybersecurity team evaluates tools before adopting them to determine if they are suitable for the TC environment

Training and awareness

• There is no career path or competency framework for SDG cybersecurity employees. This has been noted in the "Resource Management" section.
• However, the Cybersecurity team ensures that members receive appropriate training to perform their duties. Tabletop exercises are conducted to identify areas for improvement.
• During GC Cybersecurity Awareness Month, various awareness activities were held. The cyber team regularly communicates with TC employees to promote cybersecurity awareness. Customized training is provided to users who need additional awareness.

Communication

• Different groups within the Department are working to improve communication and break down silos. However, there is still room for further collaboration and enhanced communication.
• This area is addressed in the “Governance” section.

Appendix A – Review criteria

1. An effective governance structure is established and is operating as intended. The roles and responsibilities of key stakeholders are well defined, documented, communicated, and understood.
2. Sufficient financial resources are allocated and human resources with the necessary knowledge, skills, and capacity are acquired.
3. Sound change management and patch management are efficiently deployed in a timely manner.
4. Appropriate tools, systems, and technologies are acquired and applied properly.
5. Sufficient training and awareness activities are developed and delivered, with well-managed participation and evaluation.
6. Necessary monitoring and reporting activities supported by established performance measures are carried out.
7. A risk management framework is in place and risks associated with cybersecurity are identified, analyzed, reported, and mitigated effectively and in a timely manner.
8. An adequate and effective communication strategy/protocol is in place to facilitate engagement of relevant stakeholders.

Appendix B – Recommendations and Management Action Plan

Appendix C – Statement of Conformance

This engagement conforms with the Government of Canada’s Policy on Internal Audit and the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, as supported by the results of an external assessment of Internal Audit's Quality Assurance and Improvement Program.

Chantal Roy, CIA

Chief Audit and Evaluation Executive