Halifax police left dozens of IT security holes despite warning, audit finds

Halifax Regional Police gave wrong information to the board of police commissioners about the force's IT security and has done little to fix risks since being told to do so in 2017, the municipality's auditor general said Thursday.

Evangeline Colman-Sadd urged police in 2018 to fix the problems, more than a year after a security consultant told the force its information technology was at risk.

In 2019, police managers told the board that 13 of the consultant's 67 recommendations to improve security had been completed.

But an audit by Colman-Sadd released Thursday revealed they'd only done five. It said many of the outstanding issues could have a "high impact."

"We are concerned the board was given incorrect information regarding the state of IT security at HRP," she said in a news release. "The board should expect to receive accurate information in carrying out its important oversight responsibilities."

IT policies outdated

The audit, which was carried out between February 2019 and January 2020, found the risk assessment hasn't been revisited and key risk-management processes are incomplete. 

Colman-Sadd described the force's security policies as "inadequate." She said Halifax Regional Police has had new policies in draft since 2019, but hasn't put those policies into practice. 

"The IT security environment at HRP needs significant improvement, from how risks are identified to how they are ultimately managed," the auditor general said. 

Her report said the IT policies are outdated and don't cover key security risks.

"We also found the staff member who manages HRP's covert systems is not supervised by someone with an IT background and has no reporting relationship with HRP's chief information security officer," the report said.

Police take audit 'seriously'

Dan Kinsella, chief of police, did not explain why police gave the board wrong information, nor did he address why police haven't fixed the security issues. 

"HRP takes the findings of the audit very seriously and has agreed to implement all recommendations put forth by the auditor," he said in a news release. 

"We thank the auditors for their diligence and engagement, and for their focus on bringing important matters to the attention of HRP management."

Colman-Sadd's audit also raised concerns about information getting into the wrong hands because police don't have a policy for deleting information on things like USB sticks. A lack of encryption means anyone could access the information.

She said police also need up-to-date inventory lists so they would know if something has gone missing. 

Policy needed to protect sensitive info

The force does not have its own policy on working remotely but uses the general Halifax Regional Municipality policy. Colman-Sadd said given the sensitive information police are accessing remotely, they need their own policy. 

"It's not a case of all kinds of infrastructure money," she said. "The majority of them are upgrading policies that just haven't been kept up to date."

The auditor general also gave police a confidential report with more information and recommendations on more sensitive issues.