Public Accounts — Issue No. 3 — Monday, November 18, 2013 (HTML)

ICBC Salon, Morris J. Wosk Centre for Dialogue
580 West Hastings Street, Vancouver, B.C.

Present: Bruce Ralston, MLA (Chair); Sam Sullivan, MLA (Deputy Chair); Kathy Corrigan, MLA; Marc Dalton, MLA; David Eby, MLA; Simon Gibson, MLA; George Heyman, MLA; Vicki Huntington, MLA; Greg Kyllo, MLA; Norm Letnick, MLA; Mike Morris, MLA; Linda Reimer, MLA; Selina Robinson, MLA; Shane Simpson, MLA; Laurie Throness, MLA

Officials Present: Russ Jones, Acting Auditor General; Stuart Newton, Comptroller General

2. The following witnesses appeared before the Committee and answered questions relating to the Auditor General’s Report Securing the JUSTIN System: Access and Security Audit at the Ministry of Justice (January 2013).

4. The Committee continued its consideration of the Auditor General’s Report Securing the JUSTIN System: Access and Security Audit at the Ministry of Justice (January 2013).

5. The following witnesses appeared before the Committee and answered questions relating to the Auditor General’s Report The Status of IT Controls in British Columbia’s Public Sector: An Analysis of Audit Findings (July 2012).

7. The Committee continued its consideration of the Auditor General’s Report The Status of IT Controls in British Columbia’s Public Sector: An Analysis of Audit Findings (July 2012).

8. The following witnesses appeared before the Committee and answered questions relating to the Auditor General’s Report An Audit of Biodiversity in B.C.: Assessing the Effectiveness of Key Tools (February 2013).

• Tom Ethier, Assistant Deputy Minister, Natural Resource Operations, Ministry of Forests, Lands and Natural Resource Operations

• Mark Zacharias, Assistant Deputy Minister, Environmental Sustainability and Strategic Policy Division, Ministry of Environment

• Alec Dale, Executive Director, Environmental Sustainability and Strategic Policy Division, Ministry of Environment

10. The Committee continued its consideration of the Auditor General’s Report An Audit of Biodiversity in B.C.: Assessing the Effectiveness of Key Tools (February 2013).

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SELECT STANDING COMMITTEE ON
PUBLIC ACCOUNTS


CONTENTS
Page
Auditor General Report: Securing the JUSTIN System: Access and Security Audit at the Ministry of Justice	47
R. Jones
P. Hamilton
B. Sadler
C. Dover
J. Hughes
C. Mah
S. Newton
Auditor General Report: The Status of IT Controls in British Columbia's Public Sector: An Analysis of Audit Findings	71
R. Jones
D. Lau
S. Newton
C. Dover
Auditor General Report: An Audit of Biodiversity in B.C.: Assessing the Effectiveness of Key Tools	83
R. Jones
A. Todosichuk
M. Zacharias
A. Dale
M. Sydor
T. Ethier
Other Business	102

B. Ralston (Chair): Welcome. We've got an interesting four days in front of us, so we might as well get started. Lots of work to do.

The first report that we're going to deal with is Securing the JUSTIN System. What I'm going to ask is for the Auditor General and his group to make a presentation — there are slides, which you have in your materials — and then the auditee, the ministry, to respond to the report. Then we'll open it up for questions.

Auditor General Report:
Securing the JUSTIN System:
Access and Security Audit
at the Ministry of Justice

R. Jones: Good morning, Chair, vice-Chair and Members. Thank you. I'm going to do, basically, a brief introduction and then turn it over to the team that worked on the JUSTIN report.

The province's computerized criminal justice security system — or JUSTIN, as it's commonly referred to — supports the administration of criminal justice cases from initial submission through to the court process. It contains over a million police investigations. Because of the sensitivity of the information in the system, in the fall of 2011 my office undertook an audit to review the protection of information that's in that system.

As we were doing the audit, we continually updated the ministry, starting in January of 2012. We issued a management report to them in July 2012, which contained around 100 recommendations. Then we provided additional time to the ministry to address some of the issues before we released our final report in January of 2013.

Throughout that process, we utilized our experts to try and determine what we could put in that final report in January of 2013, in a public report, that wouldn't introduce any security risk to the JUSTIN system.

It was a very long process to make sure that we didn't compromise anything that was in the JUSTIN system by way of what we were going to publicly report. That's why, as you can see in the report, we ended up with five recommendations overall, even though the management letter that we issued to the ministry had approximately 100 different points in it.

B. Ralston (Chair): So the initial management letter was confidential, then, to the ministry and not released publicly in any form.

R. Jones: That is correct. A lot of the reason for that was because it's a very technical piece of work as well. We tried to put it into the public report, synthesize that down to something that was publicly understandable.

Our report identified a number of significant security flaws in the system. Some were addressed before the release of the report, but many still remained. There are some to this day that are still being addressed by the ministry.

This is our office's second report in the past few years on IT security and the Ministry of Justice systems. In 2008 we released an audit into the management of access to the corrections case management system, or CORNET as it was called. Some of the same weaknesses were in that report as are in this current report, and I would encourage the ministry to apply the recommendations from these two reports to all systems containing criminal justice information going forward.

I will now turn it over to the two people from the office that worked on this report. To my immediate left is Cornell Dover. He is an assistant Auditor General in the office and is in charge of the IT portfolio. Pam Hamilton is next to him. She was the lead auditor on the JUSTIN report. She's going to take you through the slides that we have provided in your deck.

P. Hamilton: Good morning. As introduced, I will be giving a brief presentation on our audit of securing the integrated justice system, known as JUSTIN. This presentation will include a brief background on the JUSTIN system, what we looked at, what we found, the recommendations and the next steps.

JUSTIN is a computerized system for managing and administrating the criminal justice process. It allows cases to be tracked from the initial police submission to the final court decision. All criminal cases in B.C. are submitted to JUSTIN, which now contains more than 15 years of information.

The information in the system is some of the most sensitive information in government — information that, if in the wrong hands, could cause personal injury.

The JUSTIN system is set up to follow the flow of the justice system. The process starts with a submission of police investigations called reports to Crown counsels, or RCCs. They are sent electronically from the police system to JUSTIN.

The Crown counsel receives the RCCs and uses them to determine if charges recommended by the police will be laid. If charges are to be laid, the case will be scheduled for court in JUSTIN by the judiciary branch.

Preparation and management of the court documents through to the court decision will be done by the court services branch. Depending on the court decision by the corrections branch, the corrections branch may provide
[ Page 48 ]
supervision either in the community or custody and will have access to the JUSTIN system.

The diagram here is a very simplified view of the JUSTIN computing environment. The diagram shows that the JUSTIN system is in the Ministry of Justice computing environment, protected by the Ministry of Justice firewall. The RCCs are sent into JUSTIN from the PRIME-BC system. On the left are the user-connection methods and the networks that users are able to enter from. Connections can be made from the government network, from the police networks and from the Internet.

All connections to the JUSTIN application or database go through the Ministry of Justice firewall before reaching the system.

So what we looked at. We looked at the IT security controls in place to protect the system from someone trying to gain unauthorized access. This included assessing controls related to the network, IT infrastructure and accounts.

We looked at the appropriateness of user access to the reports to Crown counsel. We specifically looked at only the RCCs because they contain the most sensitive information in JUSTIN. These are the complete police investigations and include contact information on the accused, witnesses and victims.

Some RCCs are extremely sensitive and should have more stringent restrictions applied. We looked at the processes and controls in place to restrict RCCs pertaining to youth, pardoned individuals, the sealed court cases and those identified as private by the police.

We looked for mechanisms to proactively prevent and detect unauthorized transmissions of information. These controls include restrictions on downloading, printing and saving information as well as logging and monitoring.

B. Ralston (Chair): Just so I could stop you there, when you say "personal information" in the report to Crown counsel, by that you mean the name, the address — every way in which you could locate a person, if you wanted to. Is that accurate?

P. Hamilton: Correct. For the witnesses, accused, victims — yes, their addresses, phone numbers, names.

We found that attackers could gain access to the Ministry of Justice systems. We conducted a test, attempting to access information as an attacker would do. We were not able to access the JUSTIN database, but we were able to access other systems that contained sensitive JUSTIN data.

We tested with a regular government remote access account, the same type of account that other government employees and contractors would have. No special privileges were given, and no firewall rules were set up for the test.

We were able to reach Justice systems because the firewall allowed excessive access into the Ministry of Justice systems. We were able to access systems because of weak user credentials. We were able to download user IDs and encrypted passwords by exploiting system vulnerabilities that had not been patched. We found that there was excessive access to the RCCs, and access granted to users was not based on need to know.

About 3,300 users have access to RCCs. The users are from the Ministry of Justice, from Children and Families and from the police. Several hundred of these users were in roles that didn't require access and therefore should be removed. Users that do require RCC access are in many different roles. Not all roles need full access to the RCC, but the JUSTIN application is not programmed to allow more granular access. Therefore, users with access to an RCC have full access to all of the RCC.

Fixing this requires changes to be made to the program to allow more granular access and requires a security-access matrix to be defined. A security-access matrix would identify users' requirements based on their position. This needs to be done before access can be granted based on need to know.

B. Ralston (Chair): Can you give an example of what the difference might be? You say "granular access." Can you give some examples of limited access and more complete access?

P. Hamilton: Sure. The RCC has different components in it. There will be a narrative, which is the police investigation. There will be different fields within the RCC — as in the victim and witness contact information, the details, what the charge is, etc.

The complete RCC can't be…. There's no granular access to it. If you have access to the RCC, you have access to the full RCC, whether you need it or not. As far as positions go, there are people at very junior levels that have access to the RCC. They might need it for one reason or another, but they don't need the full RCC.

B. Ralston (Chair): So what would be a limited…? The junior person — what might they need access to the RCC for?

P. Hamilton: I would have to go back and see what all the roles were. We did investigate and see what each role needed.

Like an intake person — they might need access to the file number or to process it. But not everybody needs to
[ Page 49 ]
read the details of the police investigation. That was the point of that.

B. Ralston (Chair): Just some of the identifiers, but not the full narrative and not the witness information.

B. Ralston (Chair): Okay, go ahead. Sorry to interrupt. I just wanted to make that clear.

P. Hamilton: We found that highly sensitive RCCs are not locked down. There are controls built in to JUSTIN to secure specific RCCs, but they are either not used or not used correctly, or they are bypassed altogether.

There are very few RCCs that have actually been restricted. This means that almost all RCCs pertaining to youth, pardoned individuals, sealed cases and those that have been identified as private by the police are actually not restricted. Therefore, all users have full access to almost all of the RCCs.

We found that control over JUSTIN information is not effective. There are features enabled in JUSTIN that allow reports to Crown counsel to be printed, saved to file or downloaded. Because there is no granularity in the level of access, all users with RCCs can do this. This activity is not monitored.

We also found that there are copies of the production JUSTIN database that IT support staff, researchers and some business users have access to. Using tools such as Excel, data can be downloaded. This activity, again, is not tracked or monitored.

We found that there would be very little chance of unauthorized access being detected or prevented. There are logs tracking connections and some logging of user activity, but there are no monitoring mechanisms in place. There are no proactive methods set up to alert on suspicious activity and no methods set up to detect compromised accounts. There is logging and alerting of possible attack traffic through an intrusion detection system, but the alerts are not responded to promptly.

There are very few breaches that have been identified through monitoring. Several incidences have been brought to the attention of the government by those involved in legal cases becoming aware of their information being disclosed.

In August 2012 we issued a detailed management report to the Ministry of Justice. In total there were 100 recommendations in the report, all of which were fully supported by the ministries. We summarized the recommendations from the detailed report into five key recommendations for the public report, addressing the main findings that I just described. These recommendations are on page 7 of the report.

B. Ralston (Chair): Could you just give me the date again that the recommendations were released — the management letter to the ministry?

P. Hamilton: Our next steps. The ministry provided our office with access to their action plan. We are continuing to monitor the ministry progress towards addressing the recommendations. A follow-up report was issued in October 2013. This was a self-assessment completed by the ministry to report on the status of the recommendations.

B. Ralston (Chair): What I'd like to do before we move to any questions is have the ministry respond, and then we can move to questions.

I believe we have a couple of people from the Ministry of Justice: Bobbi Sadler, chief information officer, and Chris Mah. Jim Hughes is with the prosecution service.

B. Sadler: Good morning, Chair, Deputy Chair, Members. If it's okay with the Chair, I have quite a fulsome report back, which will take about 15 minutes.

B. Sadler: Thank you for the opportunity to respond to the Office of the Auditor General's report on securing the JUSTIN system. This morning I have with me Chris Mah, who is our director of technology services and was the project director on the response back on the JUSTIN audit. I also have Mr. Jim Hughes. He's our chief legal technology counsel in our criminal justice branch.

On behalf of the ministry, my branch and our executive at the Ministry of Justice, we'd like to thank the Auditor General and his staff for their professionalism and the thoroughness of the audit team's examination, including the steps they took to protect the information that could cause future harm to the integrity of the environment in Justice.

We accept all the findings and are moving forward on remediating all 100 recommendations and have found that the audit has provided great insight into where we need to make improvements.

I also want to acknowledge that some of the recommendations that the OAG concluded for our JUSTIN audit were the same recommendations that were before this committee on our CORNET system, which is used by our corrections staff. This was from a previous audit done by the Auditor General in 2008.
[ Page 50 ]

Although most of the recommendations were addressed for the CORNET system, they were not applied across the JUSTIN application or any other processes or applications in our ministry. So this time, out of this audit, we're taking a different approach. Although dealing with the 100 recommendations in this audit, we are implementing security improvements and changes for the whole sector.

I also want to state that security is the utmost importance in the justice sector, and we take this audit very seriously and have made this a priority.

As previously explained, JUSTIN is a provincial, integrated criminal justice system that ties together all justice agencies and support justice system workers in the processing and management of cases from police arrest, report to Crown counsel, charge approval, witness and victim information, provincial trial scheduling, court case tracking and management in electronic generation of the court's documents.

In July 2001 it was fully implemented provincewide in over 400 office locations in B.C. and, in 2003 and '04, integrated with the PRIME system that's used today by law enforcement.

It consists of one centralized database and six applications, and my organization in the ministry, called the information systems branch, is the custodian of the JUSTIN system, including the database, applications and the security technology — all of which sits on the government corporate infrastructure environment.

As shown in this slide, you'll see the users of the JUSTIN system. It represents a sequential process, as criminal cases proceed through the B.C. justice system. In general, the data owners are policing agencies, criminal justice branch, our corrections branch, as well as the judiciary. User counts as of November 1 for the RCC JUSTIN users is at 2,506 users. When the audit was done it was over 3,300.

From a changed management and a managing of data point of view, there is a business committee made up of all the major stakeholders, called the JUSTIN Management Committee, which meets monthly. Their responsibility is to manage the system; set policies, procedures; recommend processes and systems changes. They also have the overall accountability of the data in the system. The committee work closely with the audit team and have the responsibility of assisting with all changed management and all the changes that are being implemented.

The full audit report contains 100 detailed recommendations to the ministry. After receiving the report, the ministry undertook a risk assessment to determine the criticality of each of the 100 recommendations. The Auditor General, with thanks from the ministry, delayed the publishing of the report from its initially scheduled date to help ensure that the ministry had sufficient time to conclude this assessment and close any critical gaps prior to the report being published.

Implementing the recommendations is a priority for our ministry. As a result of the recommendations in the Auditor General's report, information security for the B.C. JUSTIN system has been reinforced to prevent unauthorized and inappropriate access.

The ministry has continued to enhance its information security, and it's going beyond the specific recommendations contained within the audit.

In addition, an action plan and a project team are in place to oversee an ongoing project that will address any remaining gaps and will ensure continuous improvement of the security of the JUSTIN system and all applications in our ministry. This is being done in cooperation with the Auditor General's office, and we welcome the continued role that the Auditor General will have in monitoring our progress.

Now I'm going to get into some details of what we've done to date and what we're continuing to do.

On the first recommendation, the Auditor General's report identified a number of deficiencies related to the system components and infrastructure and recommended multiple layers of security. To that end, we have undertaken steps to restrict network access. You can no longer reach a log-on screen from a non-ministry office, and the government staff using remote-access technologies, such as VPN, have been segregated from JUSTIN users so that we can block access from non-JUSTIN users.

Database connections are used for certain types of system-to-system data sharing. In some cases, old connections that were no longer in use still had associated database accounts in the database, which created unnecessary risk. These accounts have now all been removed.

We have implemented a secure access gateway, also known as a SAG, that represents a fundamental change in the way IT staff administrate systems. In the old model each administrator connected directly to the server and their workstation. There were dozens of computers that could connect to the JUSTIN servers. The new model restricts all direct privileged administrative access to the SAG, which is locked down via a virtual desktop. Administrators are now required to connect to the SAG to perform any administrative functions.

The SAG also adds in a requirement for what is called two-factor authentication, using a unique USB token assigned to each administrator. In order to connect to the SAG, the administrator must provide their log-on credentials, but they must also insert their USB token into the computer from which they're working. Overall, this is a significant enhancement for security, and it goes across all our systems.

The SAG also puts a gate around privileged administrative access, separating them from all other users. But once an administrator has logged on to the SAG, he or
[ Page 51 ]
she could see all of the servers in the ministry's computing environment, so we've added more granular controls related to password policies in use on these servers. Passwords are now updated according to a set schedule, and password complexity rules are applied now.

We have implemented new policies related to criminal record checks. This includes but goes beyond the current governmentwide policy to have all staff undergo a basic check when they are hired or change jobs. Enhanced checks are used for all IT staff and all IT contractors.

B. Ralston (Chair): By "criminal record check," do you mean a simple request just to find out whether the person actually has any criminal convictions, or something a little bit broader, which is a kind of security clearance which might have something to do with associations or something like that?

B. Sadler: For any IT administrators, anybody in IT, absolutely. For new employees, absolutely.

B. Ralston (Chair): Sorry, I started a chain reaction there. I didn't mean to interrupt. I just wanted the point to be clear.

B. Sadler: The ministry is moving all of its servers from data centres in Victoria to new facilities in Calgary and Kamloops as part of a governmentwide migration project. This project is scheduled to be complete in April 2014. All of the JUSTIN system infrastructure components are being retired, and JUSTIN will be redeployed onto the brand-new servers in the new environment. The move will result in better server-hardening against vulnerabilities, due to new policies and standards in use at these facilities.

The new network security design will also result in better segregation of system components in environments. The ministry is also updating system documentation and improving its change management process as it migrates to these new centres, which will also allow better intrusion detection.

Testing is important to ensure that all security controls are functioning as expected. OAG performed a penetration test during the audit, which resulted in any identified way to directly compromise JUSTIN itself, but did find some vulnerabilities in other systems.

We have since addressed these vulnerable systems, but we plan to continue conducting our own testing to ensure the system remains secure. Testing will take the form of automated vulnerability scanning, which looks for basic security faults or configuration errors, as well as more thorough penetration testing, which involves attempts by trained security professionals to break into the system through a number of different means.

Upon completion of this work we have addressed the concerns related to direct network access from outside of the ministry, from external systems and from unauthorized administrative access. Based on these changes, we have made a much better degree of assurance that every person accessing JUSTIN is someone who the ministry has intentionally provided access to.

Now I'll talk about the user access. After the audit, the ministry did a comprehensive review of all JUSTIN user access. Every user account was reviewed to determine if (a) it was still valid and (b) had appropriate account settings based on the employee's job function, which Pam talked about.

At the time of the audit the Auditor General noted approximately 3,300 users with access to JUSTIN RCC data. After this review, and currently, there are approximately 2,500 users that have this access.

It was determined that as employees changed their jobs, their access was not always appropriately revoked, and this led to a buildup of access that was no longer required. The results confirm that defining previous processes for controlling access were not adequate.

To address the situation, the ministry has now implemented a process where employee data from our corporate HR system is monitored for changes to employment. Any employees undergoing changes now have their access permissions reviewed to ensure access is removed or modified as necessary.

The ministry also monitors total user numbers, using the current level of 2,500 users as a baseline. The ministry has also taken steps to ensure that access permissions for the sensitive RCC data are appropriate. Sensitive files were individually reviewed to ensure that permissions were set correctly in all cases.

All of the activities to date have been carried out within the current security access model that dates back to the original system design from the mid-'90s. There are challenges with this design, and if this system was built today, we would use a totally different support on role-based security.

The next step in the process to ensure that user access is based on need to know involves the development of a security access matrix that identifies the specific information access needs for each user role. This work is well underway, and the next milestone will be a decision from
[ Page 52 ]
the ministry on how best to implement this solution.

We know that the current model does not provide us the ability to deliver proper role-based access, so we're exploring a range of options to address the current gaps. Significant attention is being paid to finding appropriate balance between security and the need for employees to be able to access what they need to make their decisions.

Information security training is another area of particular focus within the ministry. The ministry is currently working to ensure that all employees have basic privacy and security training, and additional training is planned for staff who work with sensitive data.

Specific to JUSTIN, we have updated our training materials and user guides for users responsible for securing data within the system. Again, this is based on the current access model, and any changes we make to the JUSTIN user-access model would also result in new processes and procedures for securing sensitive files.

Given the challenges with the current security model, our current focus involves improving our ability to audit and monitor user access. Today we have implemented new monitoring capabilities designed to identify use of a JUSTIN account by anyone other than the designated owner. This could involve accounts that have been compromised without the knowledge of the user as well as the deliberate sharing of account log-on information.

We are also maintaining log information for a much longer period of time. At this point it's indefinitely.

Beyond this, we are also greatly increasing our ability to audit user activity within the system by deploying software tools that will assist with the capture and reporting of this activity. The audit capability applies to both user and administrator access to JUSTIN data. This solution will not only help us obtain visibility over all justice information access but also be applied to other highly sensitive databases that the ministry operates. In order to make full use of the new audit capabilities, additional staff are being brought into a new group which oversees the operation of these audit tools.

There is still work to be done here, but with better user-access management practices, an upcoming decision on JUSTIN security access model and enhanced access auditing capabilities well underway, the ministry has laid out a plan that will secure JUSTIN from the inside just as the network and infrastructure changes have secured it from the outside.

The final part of the ministry's approach to addressing the audit recommendations involves a significant improvement to the way information security is managed in the ministry. A new information security program has recently been established within the information systems branch.

We have created and recently filled a new director of information security position to lead the program. Existing staff within the ministry have been brought under the program, and we're looking at growing the program with some additional positions over the short to medium term. That program will oversee the operation of the new auditing tools that were previously discussed.

Beyond the user audit tools, the ministry is also working on acquiring a security information event management solution, which will help automatically aggregate security log information from a number of sources and aid with monitoring in the correlation of data across multiple sources. An initial pilot of this system is already underway in the ministry and could be expanded to include larger systems, such as JUSTIN.

Overall, the ministry is taking a broader approach to improving information security than just what is contained in the report from the Auditor General. The report focused on the JUSTIN system, but many of the findings could reasonably be expected to apply to other systems. Developing a new program to manage security will help ensure that improvements made for JUSTIN, such as enhanced monitoring, are also applied to all ministry systems that could benefit.

We've completed a lot of the remediation work to date, but we still have some work to do, which we will continue into the next year, as you can see from our high-level schedule. We will continue to make this a priority. We have a dedicated team addressing security in the sector and continue to meet monthly with the OAG staff to discuss our progress.

I'd like to close saying, once again, that we thank the Auditor General and his staff for the work on this audit and thank the committee for having us here today.

Russ, did you want to say anything else in response, or are we ready to go to questions?

N. Letnick: Thank you to both the office and the government for good presentations and also for ensuring that the slides are in our package for those of us who can't see the screen. I appreciate that as well.

I'm very heartened to hear — and actually I'll repeat the words you said — that security is of the utmost importance. Obviously, we don't have access to the 100 recommendations, so we can't get into the details of the 100. But at a high level, obviously, security is of the utmost importance.

My first question, then. Your last point is that you're applying the recommendations and the system changes to other systems. Could you give us an example — again, at a high level, if that's permitted without compromising anything? What other systems are you applying this knowledge to?

I do have three or four other questions, Mr. Chair. Did you want me to spew them out at the same time or wait
[ Page 53 ]
for the answers?

B. Ralston (Chair): Well, maybe we can get an answer and then maybe a follow-up. I'd prefer to go back and forth rather than…. There are four questions on four discrete topics? Yeah I think that would…. Okay, well, one issue at a time.

B. Sadler: We have a number of applications and databases in the sector, including our CORNET application, and we've applied the SAG across those applications, plus we are doing monitoring and logging for all those databases across our system.

N. Letnick: Okay. So it's just within your ministry. It's not being applied, to the best of your knowledge, to other ministries?

B. Sadler: Certainly, other ministries are interested in what we're doing. We're having those discussions, as well as in law enforcement. But what I was strictly talking about was our ministry.

N. Letnick: Okay. And then my follow-up question is — and maybe the Auditor General would be the one to answer this: did you compare the results of your audit against other jurisdictions that are also using similar systems, so we know how well the government is doing compared to other users of similar systems?

K. Corrigan: We've had 12 years where the protections in the system have not been adequate.

First of all, just by way of background, I want to ask a question about a particular scenario and confirm whether or not the type of information that I'm referring to would be included in the report to Crown counsel, or other information in the justice system.

For example, if a co-accused in a case was negotiating a guilty plea, and there was going to be a Crown counsel recommendation for a reduced sentence in return for testimony against a co-accused in a case, is that the kind of information that would be included in JUSTIN?

No, that is not information that would be found in the JUSTIN system. The JUSTIN system is a case-tracking system that is used for the initial presentation of information to the Crown for charge assessment and witness notification. But there's no Crown work product or any avenue for doing that type of entry in the JUSTIN database. The rest of the disclosure package from police and all of those things are stored in different systems, and Crown encrypts 100 percent of its data.

First of all, I want to get on the record one paragraph and then ask a question about it. This is on page 5:

"Our audit results revealed a serious lack of controls to protect JUSTIN information from inappropriate access and virtually no controls for detecting or preventing unauthorized disclosure. Information in the JUSTIN system is not safe from motivated individuals looking to gain access to it, and, equally concerning, there is very little chance that the ministry would ever know that unauthorized access had occurred."

I think that one paragraph pretty well almost encapsulates what has been wrong with the justice system.

Couple that with the observation, on page 19, that "several incidents have been brought to government's attention where parties involved in legal cases became aware that their case information had been inappropriately disclosed. These disclosures were the result of misuse of JUSTIN access privileges." When did that occur?

P. Hamilton: During the course of the audit we conferred with the OCIO's office. The OCIO's office is where all….

B. Ralston (Chair): What's the OCIO, just for those of us who don't follow all the acronyms?

P. Hamilton: Office of chief information officer for the province. Any complaints or possible breaches would go through that office. What we did is we went and talked to them, and they went through some of the breaches that had been brought to their attention by the public.

As far as what dates, it was over the last couple of years. I mean, I don't have the exact dates with me.

K. Corrigan: Would the ministry have been aware or have been informed that there had been complaints?

Can the ministry answer the question, then, of when those complaints took place and when they became aware of them?

B. Sadler: I'm sorry. I don't know exactly how many — the number isn't right in front of me — but over the last three years there had been less than ten breaches recorded.

K. Corrigan: There were ten complaints about breaches. There may have been more breaches, because you don't know, but there were ten complaints about breaches. Is that correct?

K. Corrigan: So if the ministry was aware for a period of over three years — that would be prior to this audit being done — what did the ministry do proactively prior to the audit being done in order to address the fact that people were making complaints that there was unauthorized information being distributed via misuse of JUSTIN access privileges? Has the ministry gone back to try to check and see — proactively, through even newspaper advertisements or contacting individuals — to find out whether or not there were other breaches?

J. Hughes: I have limited awareness of this, but certainly we have to be careful here. We're not talking about breaches in the sense that somebody has hacked into JUSTIN and information has been distributed. Certainly, if a privacy complaint was brought forward to the criminal justice branch by the Privacy Commissioner — and I have dealt with some of these — we take positive steps with the Privacy Commissioner and investigate them.

The types of breaches we've dealt with, being described as breaches…. Probably, in a worst-case scenario, it was a disclosure package sent to the complainant instead of to the accused. But that disclosure package must be given to the accused. It's part of his defence of his case, and just being sent to the wrong address. As soon as that's caught, the proper notifications through the privacy breach protocol take place and all of those things.

There are also other instances where there's been the potential that staff have overstepped their bounds within the office, and we've certainly had to take human relations actions against those people and appropriately deal with them.

We've not had anything brought to our attention that indicates that anybody has breached JUSTIN data, got inside and inappropriately distributed information in that way.

The Auditor General's report highlighted serious security concerns, particularly in light of the fact that there was a previous audit with similar concerns and recommendations within the criminal justice system that appeared to have no impact on the issues that were once again raised in this audit.

"The ministry must also acknowledge that while we accept the audit findings, in some cases the response diverges from specific recommendations provided by the auditors. As administrators of the JUSTIN system, the ministry must balance the need to restrict access to sensitive information with the need to enable the criminal justice system to effectively protect the citizens of British Columbia."

Given the seriousness of the security concerns that were raised, I'd ask the ministry: what risks have you assessed, if any, by diverging from the audit recommendations, and what sort of risk assessment process did you use? Was this a balancing of interests, or were you simply finding other methods that you considered after a risk assessment achieved the same performance? If you identified those risks, how are you managing them? Did you discuss your alternate measures with the Auditor General's office?

B. Ralston (Chair): Okay. I think maybe it would be more helpful just to go one at a time there, George. Maybe just let them start with the first one, and then you can repeat your questions.

C. Mah: I'll address the first part of the question, which I understood to be about what approach we have taken to assess those risks. During the initial period after we received the audit, the ministry conducted its own self–risk assessment. By "self" I mean we engaged a security consultant with proper security credentials to review each of the 100 recommendations.

For instance, in terms of a recommendation that I believe was talked about, the ability to print RCC information, the ministry looks at that in terms of the job requirement for staff within the ministry to print that information in the course of doing their jobs and then balances that against the risk of those printed materials being a way to remove information from the organization.

During the course of the risk assessment we decided that given the lack of, I suppose, a technical ability to control printing, a better or divergent, if you will, approach would be to produce some monitoring around who was printing what information, as opposed to restricting printing. That's an example of where we would diverge from the recommendation from the auditor.

G. Heyman: Then my follow-up question to that was:
[ Page 55 ]
where you identified additional risk, if you did — I assume there are a number of other recommendations, so it's hard to tell whether you did or not — did you have a system in place to manage that risk that you considered, following consultation with the Auditor General? I'm asking also whether you did consult with the Auditor General around the alternative measures that provided the same level of security as the initial recommendations provided.

C. Mah: Maybe I'll talk a little bit about the approach we've been taking for the follow-up. What we do is we meet on a monthly or bimonthly basis with the audit team. We have a listing of the full 100 points in the management report, and for each of those points we have a brief description of the action that the ministry has taken to date and the planned action. That is shared with the Office of the Auditor General. We have a discussion around some of those points, and certainly they are given every opportunity to provide feedback on whether or not they feel that that approach is appropriate.

G. Heyman: I have one more follow-up, if I may. This is for the Auditor General. My question is simply whether, in any of these instances where alternative measures have been discussed with the Auditor General, you're satisfied that the level of security being provided by the alternative measures meets your test.

R. Jones: We do meet with the ministry on a regular basis, and as mentioned, we do provide advice where we're asked. What we have not done is we have not followed up and done an audit of the various areas that have been addressed yet, so we don't know whether or not whatever controls are put in place so far are effective. We do plan on doing something in the future, but we haven't audited the procedures that the ministry is putting in place.

G. Heyman: Perhaps I asked the wrong question. Maybe I should have asked whether you actually ever advised against the alternative measure.

P. Hamilton: For instance, the one that Chris brought forward on not being able to limit or control the printing right now. Putting in monitoring is always a good mitigating control. It doesn't necessarily take away from controlling printing, because not everyone should be able to print the full RCCs. But in the meantime, until they can reprogram JUSTIN and until they can identify who needs to have that function, monitoring it is a good mitigating control.

M. Dalton: There seems to be a vigorous response to the recommendations from the Attorney General — the report. I'm just wondering: prior to that would there not have been an ongoing examination of practices in place to look at these things?

B. Ralston (Chair): Maybe just let them answer one question at a time. It's usually easier to get a better response. That's your first one. We'll let you come back to a second one.

B. Sadler: I've been in my position for one year. We are taking a different approach. I can't speak in detail what the previous CIO did in the ministry. There was a bit of work done there. There was not a security position in the ministry. Since the report has come out, this position, my position, is now part of the executive. That was a decision made by our executive.

As well, we are hiring new security staff in my team. Lastly, a decision was also made to consolidate all the IT resources to strengthen the security posture in the ministry. So I can't speak to prior, but I can speak to now and what we're doing now.

M. Dalton: I know that Norm asked an earlier question with regards to the Attorney General looking at other jurisdictions and how their process of security is being used. You didn't use that. But I'm wondering, as far as the ministry goes, if there is an examination and a collaboration with other jurisdictions in Canada — both nationally and internationally — drawing upon what they are doing with regards to security. Is that an ongoing action that has been taken?

B. Sadler: There are a few provinces that I have started to be in contact with. But we are one of the very few provinces across Canada that has an integrated criminal justice system. Most provinces have multiple systems, and they're certainly discussing with us about our system, how we're managing our system, and are quite interested in it. So it's hard to phone other jurisdictions and get advice. They're actually more phoning us.

B. Ralston (Chair): Just for the record, then, I'm not sure…. A deputy minister is not here, but who is the deputy minister, and how long has he or she been in the position? That might answer the….

B. Sadler: We have two deputies. One is our Deputy Solicitor General, who is Lori Wanamaker, and we have our Deputy Attorney General, Richard Fyfe. I report to both.

B. Ralston (Chair): How long has Mr. Fyfe been in his
[ Page 56 ]
present position? You've been there for a year.

V. Huntington: Can you explain what the culture was in the ministry that permitted such a serious gap in security attitudes to prevail? What was that culture that existed? And why could something like CORNET not immediately have triggered a response to look at all of your security and IT systems?

B. Sadler: Again, I've only been here for a year, so I can't talk to the culture before then. But I will say that as soon as I started in this position, one of the first files I got on my desk was this audit, and it became a very top priority.

J. Hughes: I can certainly speak to that to some extent. Prior to Ms. Sadler coming on board as the ADM and the consolidation of the IT sector within the Justice sector, the ministry's information services were essentially managed under management services. Therefore, the focus was probably more on saving money than on how to best deliver information technology.

Certainly, I've seen a very positive change with the consolidation and with bringing the information services branch as its own stand-alone branch outside of the management services portfolio, allowing us to work better together. It was a very siloed environment prior to that.

As I've already indicated, criminal justice branch were probably leading the way in government, let alone in the ministry, as far as security was concerned, and we took the approach of encrypting 100 percent of the information we have on the government network. Nowhere else in government is there the level of encryption and concern around their information as the criminal justice branch took.

Now that there's consolidation within the ministry and the sector, certainly that environment is expanding. So I think it's a real positive move.

B. Ralston (Chair): So if I might, these changes were initiated by Mr. Fyfe as the deputy, then, as far as you're aware. Maybe further answers might have to come from Mr. Fyfe. We can discuss that later.

V. Huntington: Some of that doesn't give me a lot of comfort, if Justice was the forefront in some of the security measures in the government. I hope other departments are discussing this audit as well.

You mentioned earlier that a number of the existing personnel are now moving forward with the new processes and systems in place. How far down did the leadership changes go? You're new, but how far down in the IT system and in the management approaches to security did the leadership changes go?

B. Sadler: In my organization they've really changed. I've brought in myself as new. I brought in a new security lead. I'm also bringing in a couple of additional security people. There was a security person out in one of the branches. They are now part of my organization. We've centralized that. It is under my responsibility now, whereas before it was a bit decentralized.

V. Huntington: One other quick question. To your knowledge are the lessons from this audit being applied across government, or are we going to find another situation where the Auditor General…? He's said this so many times over the years and through the reports: "Had this audit been taken into consideration, we would not have seen this problem."

B. Sadler: Yes, I am. As part of our team we have the chief technology officer from the Ministry of Technology, Innovation and Citizens' Services as part of our advisory board. Recommendations out of this audit are making changes on the corporate infrastructure. As well, I chair the ministry MCIO, the chief information officer council, of which case we are discussing this audit.

B. Ralston (Chair): I'd ask members to note, as well, that our next report is The Status of IT Controls in British Columbia's Public Sector. That might allow some scope for broader questions, as well, about the impact across government.

S. Robinson: I appreciate all the work that's gone in to address these recommendations. I have to say just even reading the report…. I come from the non-profit sector dealing with sensitive client information and was quite surprised at the lack of security here. I was quite shocked, because certainly in the non-profit sector where we received government funds there was requirement set out by certain ministries to have certain controls. To find out that the actual ministry doesn't have the same controls that they require of the non-profit sector was quite shocking.

I do have a couple of questions, particularly about the criminal record checks that are now required for new employees. Are there particular records that would preclude access or particular issues that would preclude access that you are looking for?

C. Mah: If I can try to interpret the question a little bit,
[ Page 57 ]
are you asking whether or not the results of a criminal record check would…?

S. Robinson: Would preclude either being hired or being hired but not having access.

C. Mah: The criminal records checks are applied at the point of initial hire or at the point when an employee attempts to change position, so a negative result would bar that individual from being eligible — depending, obviously, on what the nature of the job was and what the specific circumstances around that positive result on the check were.

S. Robinson: You have criteria for what would be acceptable, what wouldn't be acceptable?

C. Mah: The criteria…. This initiative is being run corporately in government with the assistance of the Public Service Agency. The Public Service Agency advises us, from an HR perspective, in terms of what is appropriate or not appropriate to apply for hiring standards.

I also have a question about existing employees. This is only for new employees. How do you look back and reflect on those who are currently out working and have access to the system?

C. Mah: The new policy is for new employees and for employees changing positions, and it does not reflect back on existing employees in current positions. That was, again, in consultation with the Public Service Agency and the BCGEU. We were advised that the criminal records checks are not to be retroactively employed for government employees.

L. Throness: Just a few short questions. Maybe, Ms. Sadler, if I could get a copy of your report. I'd like to get a copy of the report that you gave.

I want to confirm that there's no evidence that there has been any breach of the system by what we might call the criminal element. Do you have any evidence of that? I want to confirm that there's….

L. Throness: Okay. I want to confirm, as well, that a person with a criminal record cannot gain access to the system — that is, that the ministry will not authorize access to a person with a criminal record.

L. Throness: Okay. I want to ask if you feel confident that if one of the 2,500 people who have access now is using that information in an improper way, you will be able to detect and find that person. Out of 2,500 people, it's not unlikely that there could be one who is compromised.

B. Sadler: We believe the risk has been decreased. Are we 100 percent confident today? No. We need to make some of the system changes. But with the start of the changes we have made around monitoring and logging and shutting down access and reviewing user accounts, we believe the risk has been decreased.

L. Throness: Finally, I wanted to ask if CORNET is used by law enforcement authorities to help with law enforcement, not just case management and things like that. Maybe this isn't your department.

B. Ralston (Chair): Is that something that you could check and get an answer for?

L. Throness: A question for the Auditor General. Given that there are no immediate plans for an audit of the action plan, the response of the ministry, and given that it's your job to ensure that these holes are plugged, does that suggest there's a degree of comfort you have with the action plan of the ministry that there's no immediate plan for a follow-up?

C. Dover: Normally, what we would do is look at if there still is a significant risk from the work that's being done at Justice. If we think that the risk is still considerably high, what we would do is initiate a follow-up audit as well.

Right now our process is to look at the self-assessment, and sometime in the future if we decide that it's appropriate to do a follow-up, we will.

S. Gibson: I'm very comforted by the comment that you made earlier and also in response to my colleague about how nobody has attacked the system — nefarious means, that somebody's kind of got in there for dark purposes, malevolent creatures that are lurking there. That is really encouraging to me, and I'm not understating that.

My question, I guess, goes to…. With wirelessness…. It's not really discussed that much, but everybody is accessing everything through wireless technology today. That is hard to track.

One of the things I understand from your presentation is that if I, Simon Gibson, am not authorized to access JUSTIN but I go in there, you're going to find me. There's some tracking system. Or if I've lost my access, if at some point it's expired but I decide to sneak in there, you're going to find me. In that sense, the tracking is good, as I understand it, which is very laudable.

My question is, in terms of technology: what about wireless? We have police officers out there in their cruisers. They may not access JUSTIN. I'm not sure about that. But what about that aspect in terms of tracking? That becomes more problematic.

Maybe this is beyond the scope of what we're discussing today, but as I read technology magazines and other things, it's an alarming trend. I'd be interested in hearing any comments you'd wish to make on that.

C. Mah: Sure. There is a remote access component to the access to JUSTIN. If you're familiar with the technology, we use something called VPN, or virtual private networks, to ensure that all connections to any ministry system coming from outside of government are completely encrypted through that entire channel.

From a policy standpoint, those accounts need to be individually authorized. There is no ability for a regular JUSTIN user to attempt to connect wirelessly unless they have been provisioned for remote access, which would have to be authorized for that individual.

Then from a further security standpoint, we do track the IP address that each remote user is connecting from and some details about the workstation that it was connected to, to provide something to correlate with that user identity so we can look for some suspicious or anomalous behaviour there.

S. Gibson: A supplementary on that. It was mentioned earlier that there are other secure systems within the ministry, other secure databases. I think I wrote that down. If I have access to that first one, which is less secure, does that allow me…? Because I've now got that first stage of security access, does that make it easier for me to compromise the next one — i.e., JUSTIN? That's my question.

Is there an incremental approval system that makes it less likely for me to experience invigilation, if you will, to be able to allow me to gain access to JUSTIN in an unauthorized manner? That's my question.

C. Mah: To some degree, having any sort of access at all is…. If you had some malicious intent, having some access would make it somewhat easier for you to penetrate the perimeter.

Our security profile, our posture, is all about providing layered security, so getting that level of access would be one layer. However, there would still be numerous security controls between that system and other systems, and potentially, as you get into higher-security systems, you have to pass higher and higher bars.

To some extent, the answer would be yes, but I would say it's within the norm for industry and that sort of access.

B. Ralston (Chair): Can you just give an example of where someone would be granted access through this virtual private network process that you spoke of?

C. Mah: Sure. That process is often used for law enforcement, police agencies that don't exist on the government network.

For instance, you have remote users that need to come in from outside to connect in. Some of those agencies have what we refer to as sort of a direct-connect network connection between their network and ours. Others will come in from…. If that sort of peer-to-peer type of organization-to-organization network connection has not been established, then they will use this VPN technology to gain access to a system.

B. Ralston (Chair): What police agencies wouldn't be connected and would require this special authorization?

C. Mah: I don't know that it's necessarily to the agency as opposed to the level of access that they have. The access that we provide them is more system-to-system — for instance, so that the PRIME system can talk to the JUSTIN system. If they are working on the PRIME system, they can use that channel. If they wanted to connect directly to JUSTIN proper, they would often use something like VPN to do so.

D. Eby: I had a couple of clarification questions based
[ Page 59 ]
on the slide presentation. Two of the users that I didn't intuitively understand, in terms of why they would need access to JUSTIN…. One was the TransLink group, and one was the city of Vancouver. I was wondering if you could explain why those users would need access to the JUSTIN database.

J. Hughes: The section of the JUSTIN database that was audited was what they call the RCC access — the report to Crown counsel. All agencies that have the ability to submit an RCC require access to that RCC module. TransLink police do submit reports to Crown counsel. I'm not sure about the city of Vancouver or if it's the city of Vancouver police. Certainly, an agency that might submit a report to Crown counsel would have access, and that's where that number is.

D. Eby: So the "city of Vancouver" on that slide referred to the police and "TransLink" referred to the transit police. Is that correct?

D. Eby: Okay. The second question arose from an answer about the particular breaches that had been identified. The example that was given was that a disclosure package may have been mailed to the wrong address. The complaint arose from that and not from the database.

I'm having trouble understanding that. Is it the practice currently to mail disclosure packages — which, I understand, would include, for example, photographs from police witness statements, addresses, phone numbers, videotape from surveillance operations and so on? Is someone going to Canada Post and dropping those off into the mail?

J. Hughes: I'm speaking of a privacy complaint that I'm aware of, and certainly, that type of thing, as is part of our response with the Privacy Commissioner, would be to review all of our office policies and procedures. And we've looked at much more stringent requirements around how a disclosure package is delivered. It has never been a regular practice by any means to mail out something of that nature, but certainly, I'm aware of at least one that was mailed out and was mailed to a complainant instead of an accused. Then the complainant made a complaint to the Privacy Commissioner.

D. Eby: My last question. Simply, a number of the members here have taken comfort from the fact that there's no evidence that there has been any breach by what's described as a criminal element. And correct me if I'm wrong. The question that I have is…. The whole point of this audit was simply that you wouldn't know if somebody breached this data. You wouldn't know if a ministry employee was funnelling information out to a criminal element.

In fact, as I understand your answers today, you still don't know whether or not this is happening, although you have more comfort today than you did. Is that a correct understanding of the audit? I invite the Auditor General to explain whether that, in fact, was the finding of the audit — that the ministry wouldn't know that — and then the ministry to comment on whether or not they still don't know in all situations whether or not this is happening.

C. Dover: Yes, that's correct. Our biggest concern was that there wasn't a proper monitoring or detection of who was getting access into the system to be able to actually determine whether there were any breaches.

C. Mah: From the Ministry perspective, I think the best answer I can give is that there is no absolute certainty. To agree, yes, that's correct: we would not know if we did not know. I think our position is that we're constantly trying to reduce the situations in which that could happen. That's the best we can do at this point.

K. Corrigan: I was going to ask a similar question as David did. Just a reminder that the quote from the report is: "Information in the JUSTIN system is not safe from motivated individuals looking to gain access to it, and equally concerning, there is very little chance that the ministry would ever know that unauthorized access had occurred." So the ministry is not aware and doesn't believe, but when it comes to what Simon called nefarious individuals, we simply don't know. That does concern me.

I recall, also, that there have been cases recently where data that was in ICBC computers was accessed and with serious consequences by criminal elements, so I think we shouldn't be too comforted, particularly given the comment that was made by the Auditor General.

I wanted to ask about the number of people — 2,500 as opposed to 33 — that have access to JUSTIN now. Contractors are mentioned, and I'm wondering if you could give me some idea of how many of the people, of that 2,500, are contractors, and what types of contractors are they?

C. Mah: When we refer to contractors, we're typically referring to contractors who are supporting the system as opposed to users, so these are contractors that provide IT support. They're the contractors that…. We outsource our development, so they're the programmers that are developing the system and aiding with the troubleshoot-
[ Page 60 ]
ing, to my knowledge. I might sort of double-check that with Jim, but I'm not aware of situations, for the most part, where contractors would be any significant number of the actual user base.

K. Corrigan: And of the number of people who have access to this system now, the 2,506, some of those people did not have criminal record checks because they're existing employees. How many people have access to JUSTIN that have not had criminal record checks done? Do you know?

K. Corrigan: Okay. I have one more question, if I may. I have many more, but one more right now.

Part of the methodology used by the audit team involved what is called penetration testing, which is defined as simulating an attack. From page 16, the report says: "Our testing included scanning parts of the Ministry of Justice environment for the general availability of systems. From the scans, we were able to gain access to other systems that contained highly sensitive JUSTIN information and other information which could be used to initiate further attacks on additional systems."

Of course, we did already have the CORNET report, which had very similar types of criticisms — the same types of criticisms about CORNET that was 4½ years earlier.

I guess my first question about that is: did the ministry not do penetration testing before implementing the JUSTIN system or at some point along the way?

C. Mah: I could not speak to the entire lifetime of the JUSTIN system. It's been in use since the mid-90s, and I don't think that we have…. I certainly don't have the specific knowledge of all of the security testing that was done on that system. However, from a standpoint of the results that the Auditor noted, the information that they were able to compromise was not part of the JUSTIN system itself. It was a stand-alone system that was for another purpose and, to my knowledge, that system had not had penetration testing, to answer your question.

K. Corrigan: Okay. So I guess the question about penetration testing and other testing and trying to fix the problems…. What did the ministry do with regard to JUSTIN, if anything, after the CORNET report was released?

I'll give you, maybe, just one quote from CORNET, because I think it does show how closely related the two reports are: "Our audit identifies significant database access issues that could allow users to bypass all information security controls and restrictions." That's just one sentence, but there are many more.

So I'm wondering: given the information that was provided in CORNET about the serious deficiencies there that were very, very similar, what did the ministry do with regard to JUSTIN after the CORNET report was released in March of 2008?

C. Mah: The underlying server components to the system between JUSTIN and CORNET…. There are some shared components there. Those infrastructure components have been transferred in terms of the servers to an outsourced vendor now. It's HP Advanced Solutions.

There are now much higher standards for security on those systems. We talked about a migration project. That was underway prior to the JUSTIN audit.

The migration project had not completed at that point, but many of the concerns related to CORNET audit were around the sensitive database at the core of the system. So the safeguards to control access to that system and, similarly, to JUSTIN are being greatly increased through this move to this external service provider and the testing that goes along with that.

There are some provisions, in my understanding, in the contract that we have, to do testing and intrusion detection and those sorts of things.

My question was: what did the ministry do as a result of the CORNET report in March of 2008? What did they do with respect to JUSTIN because of the recommendations that were very similar to the concerns around JUSTIN?

B. Sadler: As I stated in opening remarks, back in 2008 we dealt with the recommendations specific to CORNET, and they were not applied to JUSTIN.

N. Letnick: A couple of questions. Your slide 11 talks about the response activity timeline — what you're doing and when you're doing it. The last date is April 2014, "Migration of JUSTIN to secure data centre."

Are you saying that as of April 2014 — because you did say that you accepted the 100 recommendations from the Auditor General's office — you'll have completed all the
[ Page 61 ]
recommendations, or other variety of security measures to meet those recommendations if not the actual actions that were called for by the Auditor General?

C. Mah: The April 2014 date refers to key milestones on our current plan. One of the things on the plan is a decision from the ministry in terms of how to address changes to the JUSTIN system itself.

When I talk about changes, I'm talking about programming changes to the way the application functions. That is a fairly significant undertaking. Until we have a decision as to what approach is going to be taken, we don't have an end date for the completion of all 100 recommendations.

N. Letnick: So if you don't have an end date, the follow-up question on that one is: will you be done prior to getting re-audited by the Auditor General?

C. Mah: I would have to refer that question to the Auditor General, but I don't have a date in mind for when that might take place.

My other question is…. I confess I'm not a lawyer, as many around the table are, or a police officer. When you talk about reports to Crown counsel…. The Auditor General's slide — it's not numbered, so I can't refer to it — talks about police investigations and accused, witness and victim information.

Should we tell the people of British Columbia today that if they have a police investigation done on them and there's victim information that is in a report to Crown counsel, that information is secure?

J. Hughes: The information that gets put in JUSTIN is as secure as JUSTIN makes it. If there are still gaps in that….

The caveat that I would put there is that we have to be clear on what actually gets entered into JUSTIN. That's also in a different scope, and it's not really part of the audit response.

The criminal justice branch is continuing to work on how we manage the information that we require to do our day-to-day work. That's the evidence that we gain to do a criminal prosecution.

Most of the evidence that's used to do a criminal prosecution does not go into JUSTIN, and that's something to be clear on. But the narrative does go in. The witness information does go in. Not on the most serious cases — the gang cases, the big direct indictment type of files. That information wouldn't go into JUSTIN. It would go in just as a placeholder for a file number, but certainly all the investigative information would not go in.

Your main street theft under…. Probably up to 99 percent of it is in JUSTIN. It's as secure as JUSTIN is. That's something I think that's an ongoing piece of work to try to make it more secure.

N. Letnick: What you're saying, though, is all that serious information is encrypted, as you said before?

J. Hughes: The information the criminal justice branch gathers from police around the investigation that's not in the JUSTIN system is encrypted, yes.

B. Ralston (Chair): Okay. I've got a long list of people here. I think we should probably keep going maybe for another…. Exhaust this list. I've got about five or six people here.

G. Heyman: The ministry mentioned earlier that you've moved servers from Victoria to Kamloops and Calgary. I'm wondering what measures you have in place, both to receive assurance and to remain assured that there is no backing up to servers in the United States or subserving to servers in the United States, given the U.S.A. Patriot Act.

C. Mah: That particular question was something that was addressed by the government's chief information officer and what is now the Ministry of Technology, Innovation and Citizens' Services at the point that the agreement with the service provider was signed.

I would not speak authoritatively, but certainly it's my understanding — and maybe I'll pass off to Bobbi here — that there are provisions that would prevent that from happening.

B. Sadler: We've had and continue to have ongoing discussions with the government chief information officer. As a matter of fact, a lot of the stuff out of this audit the Ministry of Technology and Innovation has pushed each past to up the security posture for the province.

S. Newton: It's a condition of the existing agreement with service providers for data that the data reside in Canada and that it does not go to the States. We get assurances from within the contract itself that it will not. That's occurred since the Patriot Act became an issue for government. Any and all government systems where they were looking at using contract service providers — not only for data but for actual processing, where it may go out somewhere to be processed and back…. Those ser-
[ Page 62 ]
vice providers were required to ensure that the processing also occurred in Canada as well.

I think you can take great assurance that that was a very key requirement at the time. My understanding is that is still a very strong requirement as well. So pretty much categorically — data's not going to the States.

G. Heyman: If I might just ask the Auditor General to comment if you believe the contractual provisions are adequate to give British Columbians assurance that this could never be breached.

C. Dover: I haven't actually looked at the contractual agreements at this point, but my understanding from discussion with Stuart is that that is correct.

V. Huntington: Just a quick question. I'm sorry. I don't know which of you mentioned that its access to the system is system to system. Now, what controls does Justice have, the ministry have, on other systems — like, for instance, Transit users? What controls do you have on individuals in Transit who might have access to JUSTIN system? Do you do the criminal records check on them? Do you have a series of controls on what category of employee should have access? How do you control access through another system?

C. Mah: From a system-to-system perspective, no, we don't have direct oversight of the users on those systems. We have something called the JUSTIN electronic access policy, which is an agreement that the organizations must sign before given access. That's part of the JUSTIN access provisions. Within that agreement there are provisions in there prior to being given access that they must be compliant with all of the policies and procedures that would apply to JUSTIN. But we don't have direct oversight of those individuals and those organizations.

C. Mah: I think what I would say about that is that the system-to-system access is a mediated access to JUSTIN, and a lot of the stuff that we have heard today about access to RCCs and those sorts of things…. It's not the same access that we would be talking about through a system-to-system thing. In most cases, it's for very specific purposes.

I guess on the most extreme case you might only get an identifier out of JUSTIN that has no data associated with it. Some systems certainly do share data to a greater extent there.

With that sharing comes, I suppose, a higher level of trust. For instance, in a lot of cases we're talking about law enforcement that is providing the information in the first place. There is an expectation that their users have already…. I mean, they are the originators of the information. We do have a higher level of trust there. But for an external agency that is not trusted to that degree, I would say that their access is going to be far more limited in what you get through JUSTIN access, the stuff that we manage for our users.

B. Ralston (Chair): Wouldn't a typical TransLink user be a transit police officer? Would that not be the case?

B. Ralston (Chair): Selina was next. Then I've got Greg, Linda Reimer, David Eby, Mike Morris, Kathy Corrigan again. Keep going.

I appreciate learning that there will be an opportunity to identify when there are attempted breaches into the system. Are we able to do that now, or is that something that is yet to come?

C. Mah: It's a process that's underway. We have, certainly, higher assurances now than at the time the audit took place that we can identify more things. We have better logging in place now. Is the solution complete? Will it ever be? I think that's just something that…. There's no such thing as being done in terms of security.

From where we are in terms of the overall quantum, let's just say half of the stuff that we'd like to do is probably in place, and then there's another half that we see coming up over the coming months.

S. Robinson: As a follow-up to that, will there be in the future an opportunity for you to report out on the number of attempted breaches so that we could see the evidence of your hard work in making sure that we have systems in place? Say there have been 20 attempts to access the system, so therefore we have been successful — some way to sort of measure our ability to protect this sensitive information.

C. Mah: I think that that question is a difficult one to answer, because there are many different forms of metrics about what that would look like. In terms of what a breach looks like, in security in general you have all ranges of what might be deemed to be suspicious activity, which could be completely benign all the way up to serious.

At a certain level we cross the threshold into what we would call a security incident, where it got to the point of requiring some form of official investigation. Certainly, the statistics on that would be potentially available.

S. Robinson: Well, I just want on record that I'd ac-
[ Page 63 ]
tually like to see evidence of this moving forward. It looks like there has been some considerable effort and, I suspect, some considerable money put into making sure that we don't have these breaches.

So having some evidence that would suggest that these things are working I think would be very important moving forward. Whatever it might look like, I think it's important to include that.

G. Kyllo: I wanted to comment, and then a couple of questions. I think I'm encouraged by Bobbi coming on board full-time to actually take the lead on this. It's certainly very important to protection of information.

I know that the focus is on IT, but there are also…. It really comes down to the information itself. Even an individual that might have had a background check — there's certainly not a guarantee that that person isn't going to breach that information.

Your work is very challenging, and it's going to be ongoing. I don't know that we'll ever have 100 percent confidence that we've got full protection of all of the information. It really has to do, I guess, with the level of confidence that we have.

I'm encouraged that you are utilizing the Office of the Auditor General as a resource for some of that in-process testing work. That's very encouraging. I see that the opportunity to work in more of a collaborative approach, to work for a common goal and an end result, is certainly a lot more valuable. It could be potentially adversarial — where they're coming in like the cop, trying to make sure that you're following certain things.

I'm encouraged by that. I don't know that we'll ever have 100 percent guarantee as far as that protection of information. You're work is very challenging, but I want to thank you for your efforts.

L. Reimer: I have a couple of questions, actually, but I just want to thank the Ministry of Justice for all your work. I know in a rapidly changing world where there are IT experts out there — some of them good, some of them not so good — it's a real challenge not only for our government but for all governments.

The question was asked of the Office of the Auditor General about whether they looked at other jurisdictions and best practice. I'm wondering if you're incorporating that as you try to fulfil all the recommendations that the Office of the Auditor General has made.

B. Sadler: As I stated, I have to be honest. We are one of the very few jurisdictions that have a mission-critical system that is used with the amount of stakeholders that isn't just a Ministry of Justice application. But certainly talking to industry experts, security experts, OAG staff and other jurisdictions is absolutely key to me. But to get experience from other provinces, the experience isn't there.

B. Ralston (Chair): Linda, just before you continue, I think Russ Jones wanted to make a comment.

R. Jones: I was going to comment that although we haven't looked at other jurisdictions, this isn't sort of the only IT system we've looked at over the last few years. There are a number in other ministries across government, as well, that we've looked at that have the same type of security concerns. We're currently looking at another couple of systems that still have security concerns across government.

Regardless of whether there are comparisons with other jurisdictions, it is a concern within this province around security.

L. Reimer: My other question has to do with the data services moving from Victoria to Kamloops and Calgary. How does that better serve? Is it because we've got two as opposed to one? I'm not very technologically inclined, and I’m not certain how that better serves us, so that's my question with respect to that.

C. Mah: The geographic consideration is not the primary inherent value there, although there is some from a disaster recovery standpoint. Getting key IT infrastructure out of a seismic zone into a more stable environment does provide some benefits there.

But in terms of the move, what's really beneficial to us is the opportunity to re-architect, redesign all of the systems. Currently in Victoria there is a large, I guess, legacy, if you will, of the way that the systems were designed, the network infrastructure was designed, so we deploy new systems into that. We're going back and talking about ten, 15, 20 years of history there. Certainly, with the move to the new data centres, it was an opportunity for us to redesign things.

From a security perspective, one of the big things that has been done there is a more layered approach to security, meaning that applications are now distributed in terms of zones. They have sort of like this notion of a low-, medium- and high-security zone with better segregation between them. It's less the physical move to what town or city you happen to be located in and more of just the redesign of the overall province's infrastructure that's the benefit to us.

B. Ralston (Chair): As I understood the move — it was explained to the Finance Committee a year or two ago — the idea was that it was lower seismic risk. The idea was to have a duplicate centre, so Calgary and Kamloops are essentially mirror images of each other.

It's a long-term recovery from disaster and government survivability of all vital information plan. Disaster planning, I think, is the best way to describe the motivation there.

D. Eby: In a report that we're going to look at next, actually, I believe around information technology practices, the Auditor General talks about a framework called COBIT, which is control objectives for business information technology, which is described as a business framework of best practices from IT experts. I wonder whether you're using this framework in the ministry to guide your work around IT, or whether you're using some other kind of framework to guide this work.

B. Sadler: Very familiar with COBIT. I would suggest that in my organization prior to me coming, the answer would be no, but the new resources I've hired have that experience plus have security certifications, so the answer is now yes.

D. Eby: Thank you. My second question is…. As we understand the chronology, there was a management report in August of 2012 that listed 100 recommendations. Leading up to that, the Auditor General's staff was working with ministry staff in identifying these issues. So there was some notice.

We're working blind, unfortunately. We don't have that list of 100 recommendations, and we can't go down the list with you of each of those recommendations, so it's a challenge for us. But as I understood one of the answers, there's no end date for those 100 recommendations. Now, I certainly understand that within security, you're never done, but are there issues that are arising that are preventing you from dealing with this in a more expeditious way?

In particular, I'm going to focus on two pieces. One is resources. Do you have adequate resources and staff to implement these 100 recommendations? We've seen, in the media, reports of inadequate funding for Crown counsel. I wonder whether resources are limiting the implementation of the 100 recommendations. The second is: is there adequate direction and emphasis from senior levels of government that this is a priority, or are you being asked to do other things?

B. Sadler: First of all, I'll just give you some statistics. Out of the 100 recommendations, we've closed 38 of them, 14 of them we're pretty close to completing, and 28 of them are in progress. They're going to be dealt with either with the migration to the new data centres or the security access review we're doing.

As your question relates to resources, full support at the executive level, hence why my position was hired and made an executive position. I have approval to hire up to four new staff in the organization. This has become one of the top priorities in our ministry — absolutely.

D. Eby: Is that funding coming from existing operating funding, or was there a specific envelope of additional funding provided to address these issues?

B. Sadler: Mostly existing funding. Some of the systems projects have been reprioritized to allow for changes to the system. There has been some additional capital money redirected to any system changes once we determine what needs to be changed.

D. Eby: One last follow-up on that. From which operating pools was that funding taken? In other words, were there planned hires for additional Crown prosecutors that are now not going ahead? Were there additional support people who were not hired as a result of this money being redirected?

B. Sadler: All the resources are in my organization, so they did not affect any Crown counsel hires. I've been making some adjustments in my organization, and with the centralization and consolidation of IT resources we found some duplication, in which case we could redirect employees to security. As well, we've had a bit of overturn in our organization, which has allowed me to hire additional security people.

M. Morris: Having been involved with JUSTIN years ago as a police manager, when it was first discussed and implemented and integrated with some of the RCMP systems and other police systems that we have around here, I think JUSTIN has evolved into a vanguard system for this country. I commend the ministry for taking those steps.

As with any kind of IT system, there are always attacks on the integrity of the system from a security perspective. I know the RCMP systems were getting hit thousands of times a day from various groups around the world, and I don't think this system is any different.

Like Chris was saying, there's a degree that raises your interest a little bit more. If they penetrate some of the firewall provisions that you have in place, of course, it gets everybody's attention, and I've seen that happen. I've also seen situations over the years where the breaches of security haven't come from the IT system itself but have come from the actual employees who, for whatever means, have decided to turn their attention to nefarious means.

So I'm asking the question — I know the question was posed by Mr. Eby and others in here that we don't know how many times the system may have been breached and some of the information may have been used: are you aware of any particular case?

I guess I look at the fact that if anybody is going to go to the extent of breaching the security of JUSTIN or any
[ Page 65 ]
other system, they must have some nefarious thought in mind for the use of that information. Otherwise, they wouldn't go to the extent that they have to go through to breach that system.

Are you aware of any case that the police have investigated in the province over the last number of years or recently where information obtained through a security breach has been used by organized crime or some criminal element for any nefarious purposes in B.C.?

J. Hughes: The short answer, if I take your question in its entirety, is no. To narrow it down really more accurately, we are aware of or I am aware of at least one instance where police were called in to investigate a staff member for, we'll call it, inappropriate access to JUSTIN information.

It wasn't a breach. It was access that they were permitted to have, but looking at information that they wouldn't necessarily have needed to for that day's workload. There has been police investigation of that.

There's no information that's come to our attention that it was ever used in organized crime or any kind of nefarious purpose beyond: "Why were you looking at this?" It could be as much curiosity or an associate or something that had some difficulty with the law but nothing on the organized crime level.

K. Corrigan: In terms of the information, I think there's been talk about names and addresses and so on, but I also note that the report says that "will says" — in other words, what witnesses are prepared to say in court — are included in the information that's on JUSTIN. I'm assuming that is correct.

My question was…. I wanted to ask just a little bit about the relationship between PRIME-BC and JUSTIN, because I notice in the diagram on page 13 that the PRIME-BC database interfaces with the JUSTIN database behind the first intrusion-detection system and after the first firewall. Now, that was when this report was done.

I'm just wondering about whether or not there are any concerns about access, and maybe a little bit of an explanation about how the two systems interrelate and the people that are using them and whether or not there are any concerns about PRIME, particularly in relation to JUSTIN and the access to that information.

B. Ralston (Chair): Just perhaps in your answer if you could briefly explain what PRIME is as well.

J. Hughes: I'll take a shot at this, and maybe Chris has more technical information to assist as well. PRIME is the B.C. police database that they use for all their case tracking.

At its root, its design is to respond to the notion of better communication and cooperation between policing agencies so that if an offender that might be committing crimes, we'll say, in the Lower Mainland and then moves to the Interior, the data is in a centralized database, and they can keep track of that. It's fully adopted by the policing agencies now, and they use it for all of their investigations.

Its relationship to JUSTIN is a one-way relationship, and this may ease some of your concerns possibly. It is able to push information into the JUSTIN system through a regulated system that translates the PRIME information so that it can populate JUSTIN.

That's when the police have…. They would have millions and millions of investigations in PRIME, and they send approximately 78,000 of those to us a year. Of those, it's when they're ready to proceed with charges on a file, they will then push it through that PRIME gateway so that it populates all of the tombstone information in JUSTIN and allows Crown to do the charge assessment and proceed with the file through the system.

K. Corrigan: Can I ask a follow-up on that? Also, I was wondering if the Auditor General has any comment on the security and the interface between the two systems. I just want to check, as well…. You said, "Pushing information in one direction," but do RCMP officers have easier access to JUSTIN because they don't have to go through that first intrusion-detection system and firewall, or is that not the case?

I would appreciate the Auditor General or staff comment on PRIME and the relationship as well.

R. Jones: We are currently underway doing an audit of the PRIME system and doing network testing. That report will be out in the new year, probably in February.

In terms of the specific relationship, either from the ministry or from the Auditor General, is it easier for the police, I guess, to get access to JUSTIN than it is for other users of the system because they get in at a later date, and are there concerns about that?

C. Mah: I would say the short answer to that is no. I would caution against applying too much of an analytical eye to a diagram which I don't think was intended for that purpose. I'll let the Auditor General add to that if there's any desire to.

From a high-level perspective, the police go through, I would say, similar types of safeguards and controls as do other users.

S. Sullivan (Deputy Chair): First of all, congratulations to the Auditor General and their staff. It certainly is a powerful example of the value you give to the province and also this committee. It's important work.
[ Page 66 ]

Just a question on the JUSTIN system itself. Is this a package or a system that was purchased from a security developer, or is a locally made product?

C. Mah: It's a custom-developed solution that the ministry has…. We've developed it ourselves.

S. Gibson: I guess I'll be very brief. A friend of mine's definition of a secret is something he tells people one person at a time.

I'm looking at the report here about the term "attackers." I think when we think about attackers, we think of people in camouflage carrying guns and things. Of course, this is much more subtle.

The outside attackers — to me, we've addressed that. There haven't been outside attackers. So put that aside. What we're looking at now are the internal attackers. These are the folks inside that…. For some reason these 2,500 or whatever the number is, they want to do something disruptive that will compromise the security of the system.

I guess unless we find out…. I think the questions have been very relevant and very helpful to me as a new person here. If you can't find out externally…. So I'm the bad guy and I go into the system and find out about my buddy Greg here, for some reason, to try to get him off something or whatever I'm trying to do. Unless that's noticed outside by an external party, we're never going to find that out. Do you know what I'm saying?

To me, a lot of our discussion to some extent is academic until we finally find a situation outside where somebody compromises it. Does that make sense?

S. Gibson: In other words, to put it in the simplest terms, until we get evidence outside that it has been compromised, much of what we're doing right now is largely academic or theoretical, as important as it is.

C. Mah: I would characterize that…. In the realm of security you want stuff to be academic. When stuff is no longer academic, that's when things have failed. So it's a worthwhile discussion to engage in.

C. Dover: When you're looking at people coming from inside the organization, you have particular monitoring and detection protocols set up within the system just to keep track of who is accessing what type of information.

That's one of the ways where, on a proactive basis, you know when somebody is attempting to breach the system — so making sure that people have the right roles and access for those roles and then putting protocols on the database so that when somebody goes in there and attempts to look at information they're not supposed to, that gets flagged.

You do the same thing with your IT contractors and database administrators as well. So it's knowing when they're going into information that they're not normally supposed to go into and then having a log that tracks and records that, or an alert that says: "This is inappropriate access." That's how you deal with breaches from internal to the government.

Like you said, and like we had pointed out in our report, external attempts have been dealt with fairly well. It's the internal issues that we're quite concerned about.

I'm going to suggest we take a ten-minute break, now that it's 11, and come back and continue. I've got several other questioners, at least, on this report. So ten minutes — 11:10 or so.

S. Simpson: My question is to the Auditor General. We had heard earlier, I believe from Ms. Sadler, that about 36 or 38 of the 100 recommendations have been completed, 14 others are getting pretty close, and then the remainder are in some progress or haven't commenced yet. The suggestion here is that about half either are done or are close to done.

I know in the report the Auditor General suggests that there's monitoring going on, on the progress of these. Could the Auditor General tell us their satisfaction that we have about half these recommendations completed and moving forward? And are those the critical recommendations?

It's a bit of flying blind here, not having that information and not knowing which recommendations have been completed — or even what the recommendations are, essentially, let alone what's been completed. Some advice from the Auditor General would be helpful as to whether those are the most significant recommendations we're dealing with. And are you satisfied that we're about halfway there to getting those 100 recommendations done?

C. Dover: I'll start, and then I'll pass it over to Ms.
[ Page 67 ]
Hamilton. We have been meeting with the ministry and discussing their progress on the recommendations that they're addressing to this point. We'll continue to do that.

You're correct. They have been making some progress. I'll let Pam discuss what our thoughts are on those — progress so far.

P. Hamilton: One of the ones that we've brought up as a key issue specifically was the need-to-know access. There are a lot of people with a lot of access.

That one, we know, is a big issue to resolve. It involves determining what access people need, what role should be set up and going back to the program and programming it to make sure that people do have that need-to-know access, the right granularity.

That one has not been addressed. They are working on it. They're supposed to have a security access matrix next month or the month after. Then it'll go back to the programming changes.

That one is a concern for us because that involves everything. It involves who can print, who can look at the RCC, who can copy the RCCs to file. So that covers a lot on that one.

Then the monitoring function. Although there is some logging in place and there's some monitoring in place, it's not very proactive monitoring right now. The logging would be, maybe…. They might be able to use it for investigation if they were alerted to a breach, but right now it's not proactive.

S. Simpson: Maybe as a follow-up to the ministry staff…. I do look at the response activity timeline that was laid out by the staff. As the Auditor General's office has said, the matrix is to be completed in the next month or so. Then there are a number of steps, through to April 2014, to complete.

Is it the expectation, then, of the ministry that the substantive recommendations that have been laid out by the Auditor General, including those ones that have been referenced about need to know and monitoring, will be essentially resolved by the time we get to April 2014, based on the response activity timeline that's in the presentation?

B. Sadler: I'm going to try to respond to this. By April 2014 we'll have a majority of the recommendations dealt with or have a plan for them.

The security matrix is being worked on. We plan to have that complete and a decision made on how we move forward. Depending on how big of a change it is, there could be up to several months' worth of changes to the systems to address that.

Out of the 100 recommendations, there are about 18 of them that are specific to the user access. By the end of our fiscal, which is April 2014, we'll have dealt with a majority of them, with a plan to deal with the last 18 and what the timeline would be on those.

S. Simpson: Just to be clear on the answer. The Auditor General's office had flagged, in their response, the two key areas: the need-to-know questions and the monitoring and oversight questions. The expectation is those two critical areas will be substantively dealt with or well in progress by the time we get to April?

B. Sadler: Correct, especially the monitoring. We're in the process of implementing some new tools, and most of those will have been dealt with. We will, if not, have done some implementation on the need to know. We'll know exactly the plan and the timeline by April.

K. Corrigan: The response from the Ministry of Justice stated, on page 8: "The Ministry of Justice has taken steps to mitigate all immediate threats on a priority basis and has restricted access to the most sensitive information within JUSTIN."

I recall Mike was saying earlier, with regard to databases he was familiar with — and I assume PRIME would be one of them — that there were thousands of hits to try to get access to that information. I'm not sure whether there would be thousands of attempts, but Mike maybe had the assumption that there probably would be many, many attempts.

Given that there perhaps are many attempts and given that this report came out in January of 2013 and given that it's then a public document and people would have access…. All sorts of people would have access to that document, would take a look at it. Those that might want to nefariously get into the system….

First of all, what are those immediate threats? And did the ministry and the Auditor General have concerns that the very publication of this report would increase the activity of those trying to get inside the system, either electronically through computer systems or through individuals who perhaps shouldn't have access? What happened there, what were the concerns, and how were they addressed?

C. Dover: We did have some concerns, and that was one of the reasons why we worked with the ministry to figure out when the best time was to release the report. We did release the management letter to the ministry in August of 2012, so they had the detailed information on what the 100 recommendations were. They had a number of months to actually deal with the recommendations and deal with some of the more serious ones by the time the report came out in January.

The other point is that when we did our penetration
[ Page 68 ]
testing, the risk from external attacks was lower and the risk from internal was greater. So providing that information out to the public at that time didn't change that. Somebody from outside the government environment still could not get in. Releasing the report didn't change that risk at all.

K. Corrigan: A follow-up on that. Given that there are continuing concerns about the need-to-know access and the number of people that still are accessing JUSTIN, and then the concerns about who can print and who can look at the reports to Crown counsel, I'm not very comforted, given the fact that the report is out there. There could be situations where pretty sophisticated criminals could say: "Wait a minute; we have access here." Also, given the fact that we're told that existing employees have not had criminal record checks done, it doesn't give me much comfort about the security of the system yet.

I know that good work is being done. But given that ICBC had some attacks through their data system as well, and it was again using individuals, it seems to me that in the end, the most sensitive area and probably the area where you can take advantage is through individuals. I'm concerned about that. I guess that's just a statement.

The question was also: what were those immediate threats that were considered, that were included in the government response?

C. Mah: Absolutely. We share that concern, and we had some significant discussions internally and with the Office of the Auditor General around the release of the report. As far as steps taken, some of the immediate things that were done were doing the user review and eliminating access from anybody that didn't need to have that access — basically, just making sure that we were as tight as we could be on the number of users into the system.

Secondly, from an external perspective what was done was we employed a security firm to do proactive monitoring on our behalf. One of the things that was observed in the audit report was that while some suspicious activity was noted, the ministry was not proactively notified in a timely way. So we went back to our security consulting firm and reconfirmed with them the criteria by which the ministry would be notified.

This increased auditing of external attempts to access the system is the new norm for us now. So the expectation is that the sorts of things that the Auditor General observed in terms of our ability to detect attempts to breach from the outside would no longer be permissible. At least, I should say, we would be notified of such attempts now, whereas in the past we were not.

K. Corrigan: Can I ask a further follow-up on that? There seems to be a bit of inconsistency. You talk about the need-to-know access, that there was work done immediately because of the concerns with the release of the report. But the Auditor General's office is saying that that is still a big concern. I'm wondering if we can resolve…. Does the Auditor General's office have any comment on that?

P. Hamilton: Sure. I think the 800 that Chris is talking about — those don't need access at all. The 2,500 remaining — that need-to-know access is too broad. They should only have parts of the RCC that they need to perform their job.

B. Ralston (Chair): That's where this so-called security matrix…. I think I'm going to use that a lot. I like that. You're developing that, and that will segment people on the basis of what parts of the report they need to get access to. And that's going to be completed, I think you said, in the spring.

B. Sadler: Correct. Could I add one thing? I also want to stress…. We haven't talked about this much. Over the last six months we have been reminding the staff and the people that have access to JUSTIN of their responsibilities. We sent out a reminder on the Justice uses policy.

We also are retraining our staff. We also are reminding them of their responsibilities: that if there is such a breach or if they're feeling any pressure, they need to go to their supervisors. There have been all kinds of communication across the ministry and our user base on the reminder, training and education on this as well.

S. Robinson: I want to, I guess, acknowledge the number of activities and the efforts being made to actually take care of the concerns that were raised by the Auditor General. When I take a look at the report and go back to…. The whole purpose of this was to make sure that we had a proper security system in place.

I'm curious about how do you, how do we know. How do we measure the outcome? What are the performance indicators that would actually come back to us that say: "This is what we've achieved, and this is what we've accomplished"?

I guess I'm curious about what kinds of things you're measuring. I appreciate all the activities, but activities don't tell us that it is, in fact, more secure. I just want to get a sense of what's actually being measured so that we have some assurance that the security measures being taken are actually working.

C. Mah: Sure. Security is an area that is notoriously hard to measure. I mean, when you're doing a good job, the only thing that happens is…. Well, nothing happens.
[ Page 69 ]

In terms of metrics, one of the things that's applied is adherence to industry best practices. The audit controls that the Auditor General uses — and similarly, we talked about this COBIT framework — are employed, and we internally self-audit against those as well.

What success looks like for us, in addition to the absence of a security incident or a breach, is going down the list and meeting those security controls in terms of what the best practices look like. I believe this committee will hear some more about general controls audits at the next agenda item.

D. Eby: I wanted to put it on the record, Mr. Chair, that this is a very difficult job that we've been asked to do. As I understand our job here today, we're to make sure that the ministry is making progress on recommendations made by the Auditor General. So 100 recommendations made, about half of them done. We don't know which ones. We have sort of broad categories, but we don't know which recommendations have been made. We don't know which recommendations have been completed and implemented.

We know that there are four staff assigned from internal resources to attack this issue. But this is something that strikes at the heart of public confidence in the justice system — that when they call 911 and they make a report about someone, that their safety and their information will not be compromised and that this is a secure and appropriate system.

I don't know how else to say this other than it's very difficult for us to sit here and…. Some MLAs have felt confident about what they're hearing, others not so much. I don't know what to say about this other than this is a very difficult position that we've been put in, to come out of this meeting and say, "Yes, we feel confidence about this" or: "We don't."

I don't know whether four staff are enough, and I don't know whether this is a fast enough pace or whether there are commonsense recommendations that could be immediately implemented. I simply wanted to put on the record that this is a very difficult job we've been asked to do, and in fact, it's an impossible job in some ways.

One of the areas that we are going to discuss further — the Deputy Chair and I — is follow-up. In this case, in the follow-up report in October 2013 there is a self-assessment following up on this report. You made reference to the possibility of a further audit of the progress on the implementation of these recommendations.

Notwithstanding, obviously, that there are differing degrees of assurance about the progress here, I'm wondering whether you would like to comment further on the general topic of implementing these recommendations.

R. Jones: The follow-up process, as you have pointed out, is one that we do need to, I think, relook at.

Currently the way I would describe it is that it is a self-assessment. If, for example, this were a regular audit committee of a Crown corporation where we had issued a management letter from our audit, say, of the financial statements to the audit committee, there would be an expectation that management provides a response to our internal control deficiencies that we talk about and provide a timeline as to when those would be corrected.

What we would then do before the next, say, audit committee meeting is re-audit those areas to ensure that management has, in fact, corrected the control deficiencies that were noted. Then that would go to the audit committee, and if there were still outstanding items, the audit committee would hold management accountable. That's the normal way we do it in a financial audit.

I think there is a very, very good rationale for trying to do that within the Public Accounts Committee as well. Right now when you do get our follow-up reports, you are not getting any audit assurance from us that those self-assessments are correct. We do look at them to make sure that we don't see anything that is out of line. We always look to see if there's one that says, "Nothing's been done at all," because that is a concern.

R. Jones: I see that. Right now you are correct. What we would like to see coming out of these meetings, of course, is that our recommendations are adopted by the committee, and then we can discuss, I think probably in a couple of days, what a good follow-up process would really look like. I can see where your angst is. We have the same angst.

Believe it or not, when we put out a follow-up report, whether or not we state it's audited or unaudited, the public get the follow-up report, and they think we have looked at it and audited those representations that are in there. So we run a risk as well.

B. Ralston (Chair): Last question from Kathy Corrigan, and then I don't have anyone else on the list.

K. Corrigan: I probably wasn't listening, but I was asking about attempts and what we know about the number of attempts. Do we know the number of attempts, either externally or internally now, of people trying to get into the system inappropriately?

C. Mah: Again, I will attempt to answer this in a way
[ Page 70 ]
that is not too technical. That really depends on the notion of what an attempt to enter the system looks like. So on a daily basis, we receive in the order of, I would say, thousands of Internet requests that would attempt to connect to the servers. That's just a normal part of being on the Internet these days. You'll find that the majority….

C. Mah: I would say that applies to all of the systems. And these are not directed attempts to access JUSTIN. These were what I would characterize as broad-based scanning of all the computers that are out there. I mean, this is sort of the approach in which a lot of malware spreads across the Internet, so it's not unrealistic for us to see that sort of traffic. In fact, it's very routine for us.

Now, what the challenge is, is just sort of to separate out what is, I guess, an incident of concern, where something looks like it might be targeted, where somebody might have knowledge of the system that they're attempting to connect to as opposed to just random scanning. That is the threshold that we use in terms of triggering a notification from our monitoring vendor to our staff.

From a numbers standpoint, while we're probably seeing many thousands, if not tens or hundreds of thousands of Internet traffic connection requests coming from all across the globe, we would probably see somewhere on the order of one or two, perhaps, a month, or perhaps even less, that would cross a threshold for us to raise alarm and require some sort of follow-up.

K. Corrigan: Just a follow-up on that. One or two per month that would require a follow-up. What would those be? Would those be individuals that…? Can you describe what that would be?

C. Mah: Again, what I'm talking about are the incidents that come through from our monitoring vendor. Sorry, I should put this into context. I'm not talking about ones that are specifically directed towards JUSTIN. I'm talking about as a ministry as a whole. Anything that comes to our attention would be that approximate number.

I don't actually have any specific awareness of JUSTIN being targeted per se. It's more of malicious users on the Internet looking for any sort of vulnerability on a system that they can exploit.

What a follow-up might look like…. After we've received a report from this security company, we might see that there is a specific computer — or IP address, is how we get this information reported — and we'll figure out where that is coming from. They may be repeatedly attempting to access our systems over the course of a period of time.

So the follow-up would look like: what is the nature of this? Is this something to be concerned about? Does it look like we're being targeted because of our organization or just because we happen to be running a particular version of an operating system with something that looks attractive to somebody who's trying to take over some system, any system?

For the most part, we have not seen anything that looks like a targeted attack towards the JUSTIN system. I don't know if that answers your question, but feel free to follow up if there's anything else.

K. Corrigan: One more question, just a final question. With respect to the 100 recommendations that were made, I'm wondering, as a matter of process: is it appropriate for us to have access to those 100 recommendations in an in-camera way, through an in-camera meeting?

B. Ralston (Chair): I suppose in theory, yes, but that's something I'd want to discuss with the Auditor General and the team and, I think, with the Deputy Chair. I'm not sure that I want to be responsible for knowing those things. That's an option, but I can't give a definitive answer here without a lot of further discussion.

G. Kyllo: This is a follow-up to Kathy's question about the effectiveness. I was just wondering. Of the 100 recommendations, are those set up in any kind of a hierarchy as far as the importance that the Auditor General puts on those recommendations? Is there some dialogue back and forth with the ministry in determining which are the most important, critical areas to hit?

C. Dover: As we had discussed a little bit earlier, there were some that had specific issues around assigning roles and the right access based on those roles. That and the monitoring of who's having access to the database would have a little higher priority.

P. Hamilton: The five key issues were the most important areas, and of those, they were rolled up from more specific areas that we've put in the report on page 7. We say how many recommendations apply to each area. But those five key issues were our main areas. Whether we weighted each individual of the 100 recommendations…. We didn't necessarily rate them by risk. But we rolled them up to the five key.

G. Kyllo: I can appreciate that it could be extremely
[ Page 71 ]
difficult to determine in which order they should be addressed, because that would potentially require a lot more work, I think, by the ministry to determine if new software is required and that sort of thing.

I guess another follow-up to that as far as the effectiveness of the efforts…. You've indicated that you've established a reduction in the number of users, and that's definitely measurable and quantifiable. There's also been work as far as your ongoing efforts to limit the amount of access that different users have. Again, that'll be measurable.

Then also your efforts to monitor access of different users — I think that's very important. You know, 25 years ago when it was a paper file, you didn't necessarily have any record of who actually opened a filing cabinet and might have looked at a particular file.

Now, at least, if it's not a printed document and people are accessing on line, you'll have record of who's accessed. Those things are definitely quantifiable. You might give some thought to how you could put that in some kind of a measurement tool to provide a bit more assurance, I guess, that you're actually going in the right direction, that you're limiting some of that access.

I just had one question, actually. With respect to follow-up audits, is that something you guys would see as valuable? You've indicated that there is some ongoing dialogue, ongoing meetings. There have been some collaborative efforts with the Office of the Auditor General. What are your thoughts around a follow-up audit to, I guess, have a look at your guys' performance?

B. Sadler: Yeah, we have no problem with that. That's why we meet with the OAG monthly. Again, this is a top priority for me. Security is very important to our sector, and we have no issue with a follow-up report. Yeah, absolutely.

B. Ralston (Chair): Great. I think that concludes all the questions. As you've heard the Auditor General say, we're in the process of discussing the issue of recommendations, so I'd like to defer any motion on the recommendations until further discussion between the Deputy Chair and myself and the Auditor General. We're here for four days, so maybe that can take place somewhere down the line, and we can come back to this particular report.

With that, we can extend this or, I suppose, leave it open in the sense that we're adjourning it but not concluding it, and move to the next one, which is The Status of IT Controls in British Columbia's Public Sector. I think what we'll probably have time to do before we break for lunch is for the Auditor General to present — I think there are some short slides — and then break at around 12 and come back at one. So perhaps we can get underway.

Auditor General Report:
The Status of IT Controls in
British Columbia's Public Sector:
An Analysis of Audit Findings

R. Jones: Thank you, Chair, Deputy Chair, Members. We're now going to turn our attention to a report that we've started putting out in the last couple of years, The Status of IT Controls in B.C.'s Public Sector.

As everyone knows, government relies on IT for its daily operations and to deliver on-line services. Whether it's an on-line application form, a licence renewal or a health record, there is always the possibility that fraud, theft, service interruption or privacy breaches could happen.

This report that we've put out summarizes IT-related issues identified during our annual audit of the government's financial statements. When we're out there doing our audit of all the public sector entities and the private sector firms are doing their audit of the public sector entities, and while we're doing an audit of the government's books as well, we identify IT controls that could use some beefing up and fixing.

Since 2008 we've released an overview of internal control deficiencies in our annual report on the government's public accounts, and 2012 was the first year that we published this IT general controls deficiency information separately. We wanted to do it just to highlight the significance and the number of issues that we come across on a regular basis.

The information in the report comes from 154 different management letters that are sent to organizations within the government reporting entity. As I said, it comes from our office in the financial audits we do. It comes from all of the private sectors firms from the audits that they do as well.

B. Ralston (Chair): Russ, could you just explain to the non-initiate what a management letter is?

R. Jones: A management letter is very similar to the one you just didn't see that we sent to the Ministry of Justice.

When we're out there and, say, we find a problem with password protection, we will write up a management letter — points to management saying: "Here is the control deficiency, here's the impact it could have on your organization, and here's our recommendation on how you should fix it."
[ Page 72 ]

This letter goes to management, and it also goes to the audit committee, or finance and audit committee that each organization has, as part of our audit of the financial statements. It gets discussed at our year-end meetings with the audit committee when we discuss the financial statements. The management letter forms part of that.

It is not a public document that is released. It is something that goes to management and then is passed on, hopefully, to the comptroller general's office by the firms.

B. Ralston (Chair): Thank you. Just continue. Sorry, I didn't mean to interrupt, but I thought that would be helpful for members.

R. Jones: This report that we've got here covers five main categories of IT general controls. It covers information security management, IT control environment, change management, availability of data processing and physical security — five main areas that we consider very important.

Almost one-third of the issues identified in government's financial statement audit relate to IT controls, so it is fairly significant. More than half of those had to do with deficiencies in ensuring that IT systems and data are protected.

What I would like to do now is turn it over again to Cornell Dover, who is the assistant Auditor General in charge of IT in the office, and David Lau, who is the lead director on this project, to take you through a quick presentation.

D. Lau: Good morning, Chair and Deputy Chair and committee members. I'm going to highlight some of the findings in this report in the next ten slides here.

The B.C. public service is increasingly relying on information technology — hereafter I'll refer to it as IT — to gather information and deliver services. The public expectation for personalized IT services is also increasing. This is driving development of more complex IT applications. Public sector organizations must also protect the accuracy, integrity and confidentiality of IT systems and the data they contain.

In our work, Canadian assurance standards require public sector auditors to obtain an understanding of the entities they audit, including their business environment and internal controls. These help auditors identify and assess risks and make audit strategies to ensure that financial statements are properly prepared.

Each year our office, along with a number of private sector accounting firms, audits the financial statements of the government reporting entity, made up of 163 organizations in the fiscal year 2011. Management letter is a form of communication from the auditor to the management on control weaknesses that need to be addressed, which can include the issues raised about information technology and governance.

This report summarizes IT issues resulting from our assessment of financial applications. It is based on financial statement audit work done for the fiscal years ending March 31, June 30 and December 31, 2011.

We revealed the audit findings in 154 management letters and found that 30 percent of the identified issues related to IT general control deficiencies. Because of the significance of this percentage, we reviewed the findings more closely and identified larger, more systemic issues and risk.

We organized these issues into five categories: information security management, which relates to ensuring that IT systems and data are protected; information technology control environment, which describes organizational IT leadership, tone and culture; available data processing, which relates to maintaining business operations at all times; change management, which relates to updating and replacing IT systems in a controlled and coordinated manner; and physical security, which describes protecting IT systems from physical threats.

Of these categories, information security management had the most documented witnesses, followed by IT control environment. However, before drawing any conclusions, there are some limits to consider. For example, management letters are not standardized documents. Their contents depend on what auditors view to be the key risks to organizational financial reporting at the time of their audits.

Overall, though, these findings do indicate weak IT controls in government. While some of the control gaps may seem insignificant, they can leave an organization vulnerable to serious threats when combined with other control gaps. Strong information security management decreases the likelihood of corporate data or personal information being used for fraudulent purposes.

In our detailed analysis we found that 55 percent of IT-related management letter issues related to inadequate information security management. For example, we found that account management, which is to ensure that only appropriate users access sensitive information, was poor. Strong passwords and periodic changes of passwords were not enforced, and separation of duties within the IT department — that is, to ensure no one is in a position to conceal illegal acts or frauds — was inadequate.

A strong IT control environment is necessary for identifying, assessing and resolving threats on a timely basis and contributes to many business objectives.

Our review found that 17 percent of IT-related issues related to IT control environment. For example, we found that IT strategic plans and policies weren't in place or up to date. IT staff training wasn't up to date with rapid changes in technology, and contract management processes were insufficient to hold contractors or service providers accountable for the deliverables and security measures.
[ Page 73 ]

Change management is necessary to decrease both the risks of information being processed incorrectly as well as the risk of service disruptions. Inadequate change management increases the chance of information being lost or access being granted to unauthorized persons.

We found that 15 percent of IT-related issues related to change management. For example, in some instances there were no policies or procedures to guide testing and implementation of software or system changes. IT changes were not documented or signed off properly, and post-implementation reviews to ensure that changes were made correctly were not conducted.

Eleven percent of IT-related issues in our analysis related to availability of data processing — specifically, failing to maintain effective, up-to-date disaster recovery plans and to back up data off site. Both of these are necessary to ensure that normal business operations are restored efficiently and effectively in the event of human error or natural disaster that disrupts data processing.

Finally, good physical security measures help prevent attackers or even accidental intruders from stealing equipment and accessing important data. Public sector organizations must always be vigilant in designing security measures to balance security features and a tolerable amount of personnel access against important and sensitive assets.

In our analysis we found that only 2 percent of IT-related issues identified a lack of adequate physical security. This does not, however, provide assurance that physical security is well managed in the public sector. Physical security has the least immediate impact on the overall accuracy of the financial reporting. Therefore, some auditors may not have reviewed this control category closely.

Looking ahead. As government continues to rely on sophisticated IT systems to save costs, share data and capture valuable information, the need for ensuring data quality and integrity for financial reporting will only increase.

The Office of the Auditor General of British Columbia will continue to review the design and existence of IT general controls that are significant to financial reporting audits, expand the scope of IT general control reviews to include key application controls for operating effectiveness, consider how private sector accounting firms can focus on IT controls within the public sector entities they audit and conduct IT performance audits that will have a positive influence on government and its entities in IT security management practices.

B. Ralston (Chair): Mr. Newton, I understand you have a relatively brief presentation, so rather than hold people in suspense over lunch, we can do it now.

David, can you put up your slide 4? It'll be the best for me to explain the response and why it's just me sitting here versus 163 separate organizations.

S. Newton: The management letter issues in the year-end financial statements are the responsibility of the separate entities that were audited.

If you look at ministries, I review the management reports with each one of the specific ministries and their CFO. With Crown corporations, schools, universities, colleges and health authorities, each one of those management teams in those organizations, when they receive the management letters, including the IT management letters, is responsible and accountable to their board to be able to respond to what's in here.

From a whole-of-government perspective, I can't tell you who we're holding to account, because it's not one person — each one of those entities. If you use school boards, for example, the elected representatives of those school boards should be holding management to account for the control concerns that the Auditor General's office or any of the other auditors are using.

As far as being able to be sure when I do the year-end financial statements, I get audited financial statements back from those entities. The control issues were not significant enough to affect the audit recommendations, so I can use the audited information.

Certainly, on the ministry side we take an active interest. We have discussion with the Auditor General's staff on sorts of trending, larger issues, in case we need to maybe go talk to a Crown and suggest they might need to do some work. But from an authority, governance and accountability perspective, those management letters and the management teams in those entities are responsible and accountable back to those individual Crown entities.

That's why there isn't an office-of-the-Crown guy talking to you here who would have authority and responsibility for that group. That is dispersed amongst those entities.

Now, as information from an oversight perspective, it provides a good perspective. We're thankful that we've got this information from the Auditor. It makes us a little bit more aware of the information that we're receiving from ministries, but unless it's going to trigger an audit issue that the Auditor is going to inform our office of, we can still use their financial information for year-end financial statement purposes.

B. Ralston (Chair): So looking at your chart there, the number of ministries, I see, is two — relative to the concerns in the other Crowns and the SUCH sector, which seem to be the vast bulk of the concerns. Is that right?
[ Page 74 ]

S. Newton: Yeah, and it does look like it's grouped. If you look at the bottom line…. I found it very informative. Thank you to the Auditor General's office. It gives you a sense of the number of entities within that pack that actually have problems. So if you use universities and colleges, it was only 11 out of 25 universities and colleges that had management letter concerns.

Management letter concerns are a normal part of any audit. The expectation is that management looks at them, assesses the relative risk, the cost of addressing them, and management and the board — because the board has to agree to it — come to some common understanding around what they're going to do or not do to be able to address those issues.

The other piece, I think — and maybe we'll see this in subsequent years, and maybe it's a request from me to the Auditor — is: knowing that some of these issues occur in Crowns, is this the same issue next year? Or is it…? Let's say it is an information management security issue, but it's a different issue. Knowing that versus that it's the same issue and they haven't touched it would be more relevant from an information perspective.

B. Ralston (Chair): What I'd like to do is just leave it there and then deal with questions after lunch. The lunch is here — you don't have to go far — and then we'll reconvene at one o'clock, okay?

S. Gibson: With respect, I'm wondering if everybody is open to starting, say, before one to accelerate our departure. I don't want to rush us away from here. I want us to take the time we need. I'm wondering if the Chair would entertain us, if there was consensus, having an abbreviated lunch. Just wondering.

B. Ralston (Chair): I'd like to have the time. Members will have other things that they need to do — get in touch with their offices — so I'd rather have the time.

S. Sullivan (Deputy Chair): I leave, and I do my bathroom break. I have to go home.

B. Ralston (Chair): I'd prefer to have the time. An hour is not long. We don't have a collective agreement, but there you are.

B. Ralston (Chair): Welcome back, Members. We're in the process of discussing the report entitled The Status of IT Controls in British Columbia's Public Sector. We've just heard a presentation from the Auditor General and from, responding, the comptroller general. I'll open the floor to questions, then.

M. Dalton: Looking at the numbers of management letters, is this on a rotating basis that the management letters are produced, are made? You've got 12 out of 60 school districts, and do you do this every year — the different ones you focus on — or is this specific for this report?

R. Jones: No, every year, in theory, each public sector entity could get a management letter from their auditor. In the cases here — where it says, say, two of the health authorities had issues, and 17 issues in total — that may mean that those two health authorities had some IT issues. The other health authorities may have had other issues which were in management letters, but all this is relating to is the management letters that were issued that actually had IT concerns in them.

We could do, say, an audit at the Liquor Distribution Branch and have ten management-letter points, but none of them would be IT deficiencies, because we didn't find any problems in the IT area. Does that answer your question?

M. Dalton: Yes. Just a quick follow-up. You chose two different ministries. Were those the only ministries that were very clear for you that needed some focus, as far as those two ministries?

C. Dover: It says "two ministries" up there, but actually the work was done on all the ministries. It was just that there were only two ministries which IT reports actually related to. It wasn't that we only selected two. We selected all of them, just like we selected all the Crown corporations, schools, health authorities and whatnot. We looked at all the management letters that were produced, and we selected only the IT issues from those management letters.

G. Heyman: I'm not entirely clear how possible it will be to get answers, but hopefully, the comptroller general or the Auditor General or both will be able to help a bit here. I read this report just before I read the audit report into the JUSTIN system, and I note that as part of the introduction to the report it says: "Fraud, theft, service interruption and privacy breaches can be some of the threats to IT systems and information…. However, despite five years of identifying inadequate IT controls, significant problems persist in B.C.'s public sector."

I took that to mean, although I may have been reading things into it, that not a lot of progress has been made in five years, or at least not enough progress, in addressing
[ Page 75 ]
the issues being identified by the Auditor General: "IT deficiencies accounted for 30 percent of the audit issues communicated to the public sector entities for fiscal years ending in 2011."

Let me start with a question regarding the recommendation that "public sector organizations should have information security management policies and procedures in place to manage information asset risks and keep information security risks low," including regular reviews of hardware and software; "robust procedures to identify, assess and resolve operational processing errors; and active enforcement of key security policies — e.g., user access management."

My question is: how are priorities being set throughout government in addressing these? And how many concrete steps have been taken to date to address them? I do have a couple of secondary questions, but at the Chair's encouragement, I'll try to not do run-on questions.

S. Newton: Okay, I'll take a quick stab at answering in the first place. It's not a central, whole-of-government issue. It relates specifically and individually to each and every Crown that may have had a management letter.

One of the things that might be useful — maybe at another meeting — is to talk about Crown governance and how it works. Each individual Crown is connected to government through the piece of enabling legislation that sets it up. That sets a very specific set of rules and requirements but has them sitting independent of government. So government's chief information officer is not setting IM/IT or information control policies in those organizations. Each one of those organizations is setting up their own policy.

Without a specific example, let's say, out of the 11 universities…. Eleven out of 25 had control issues. We don't have what the university is, what the control issue is and how that's changed over time. There is no information in this report to talk about that, so there's no way to answer that question.

It would be the entity specifically — one of those 11 that have a control issue — that would be responsible and accountable for being able to deal with those. The problem with a compendium rollup like this is that it's rolling up a variety of multiple organizations — 163 of them — of which 18 relate to core government and the rest have their own governing boards that they're responsible and accountable to.

That's where it gets difficult to answer your question. Then I wouldn't be able to tell you, let's say…. I don't want to use a specific example because they'll probably hear it and go: "It's not us."

But take a particular school board, for example. If they have issues, their auditors would already have said: "You have issues." That school board management group would have to be accountable back to that school board for what they're going to do with those issues. That school board is responsible and accountable for the decision that's made as far as whether they're going to deal with it or not, whether they're going to accept the risk or not accept the risk.

One of the reasons why you will see IM/IT controls just in general become more critical to financial reporting is that over time organizations are going to be more automated. I would expect the management comments would increase over time just by the mere fact that most of the controls that organizations would be using would be IM/IT controls. But unless we're going entity by entity, looking at year-over-year changes, we can't answer the question on a whole-of-government basis.

G. Heyman: If I can just pursue this a little bit. Really, there's one ministry up there that's the only entity to which you could speak directly. I'm not sure how useful that is, but feel free to if you want.

From my perspective — and I have served on the board of a large Crown corporation and on its audit committee for four years, as the Auditor General knows — I understand the point you're making. But one of the concerns that I would also have….

In a sense, I'm just asking for your opinion. Both within government and in Crown corporations — particularly health authorities, universities and colleges — there's a general direction for cost containment, hiring freezes, staff cuts. I'm curious as to what impact you think this can potentially have on, on the one hand, an audit direction to tighten controls and accountability and training and systems and information management and IT in that context.

S. Newton: From a management perspective, certainly any time that you put stress on any system or group of people to achieve something, you do increase the risk that something could go wrong. You also create the opportunity for any of those organizations to find a better way, a more clear and concise and quick way, in order to get what they need to get done and focus on what we would call key controls.

Just because an organization is under stress because they have to reduce cost doesn't mean that it will result in an actual problem. It does increase risk — no question — but the organization itself has to then assess what's important, what's not important, what steps they have in place and which ones are critical. You make sure you resource those and then determine what can change going forward.

That's just generally. I think you will see increased risk over time in any organization that is put under stress to be able to meet spending or objective targets with limited resources. But to say that that then translates into a problem…. All it creates is an increased risk. There's
[ Page 76 ]
still opportunity for those organizations to do the work necessary.

R. Jones: Yeah, I think one of the things we are finding out there…. It's not universal. In the Crown corporations that — I shouldn't say profit-oriented — don't have a great deal of difficulty with funding — like, say, the Lottery Corporation or the Liquor Distribution Branch — the IT deficiencies get addressed, I think, a little bit quicker than they can in some of what we would call not-for-profit type of entities.

School districts have real challenges in terms of finding funding to make any major system changes, even though there may be a need to start trying to replace some of the older systems that are out there.

In general, I must admit I do find that in the not-for-profit sector the IT controls take a little longer to get addressed, where there are deficiencies, than they would in the Crowns that have a little more cash available to them. But they do all get addressed eventually. As you know, having been on a board, we follow up every year on all of the deficiencies that we do come up with and do take a look at whether or not those have been addressed or not.

One of the things we are doing in our financial audit work these days is extending the amount of work reliance that we're trying to place on IT systems out there. We're finally getting around to looking at more and more entities, as well, in our direct audits, so you are finding more and more IT controls being identified by us that could use some correcting or some better controls put in place.

G. Heyman: One quick follow-up. Have you ever, in any of your audits on IT controls, contemplated or actually been in a position to comment on whether there's actually a lack of cost-effectiveness by delaying addressing of the issues raised or whether it would be more cost-effective to do it and remove the risk?

R. Jones: Whenever we suggested an improvement in their control that is lacking, we take a look at the cost-effectiveness and whether or not it's a significant control that needs correcting. If it is in one of our management letters, I think it would be safe to say that we consider it serious enough that it should be addressed right away.

D. Eby: As I read the report and as I heard the testimony this morning from the Ministry of Justice, the sense that I had was that the report was intended not to tell this committee, "Oh, there's a specific issue at the University of British Columbia," but rather that there is a systemwide, repeated issue that needs to be looked at around IT controls and that that's what we should be looking at. Is that correct?

I direct that to the Auditor General's office. Is that the correct interpretation that I'm to take from this?

C. Dover: Yes. We wanted to highlight some of the issues that we were finding around IT controls. We've reported on them in the past in the observation on the public accounts report. But they were part of a deeper analysis into the entire financial statement position, so we took them out in this report and commented on them separately.

D. Eby: In response to that broad concern, then — perhaps to Mr. Newton — in the report the COBIT framework is identified by the Auditor General as something that was useful to them in structuring their inquiries into whether or not we were meeting our obligations around IT. I heard the Ministry of Justice say this morning that they've adopted that framework in the last year.

I wonder if you can advise this committee whether or not this framework, this standardized system, has been adopted across government or whether that's exclusively the Ministry of Justice. If it has been adopted, what forms of reports are coming out that we can have some certainty that these issues are being, first of all, identified and then addressed?

S. Newton: In each and every one of those entities they would choose which control framework system they would use and how they would track and monitor IT controls. So the comments that I'd make would be in relation to the column that says "Ministries" only. The responsibility for that is the office of the chief information officer.

I can't speak to whether it's COBIT specifically, but there are IM/IT guidelines and core policy — I can't give you the specific chapter reference — that all IM/IT systems are supposed to follow, including setup, change management and those kinds of things, in relation to financial systems.

Whether they're based on COBIT specifically or not, I don't know. I can find that out for you and get back to you. But there are clear IM/IT policies for all government systems to follow, and core would be the best source. It's publicly available as well.

D. Eby: One of the challenges that this committee faces is that we're not IT professionals. And one of the advantages that this system represents is that it….

Part of the functionality, as I've read, is that it assigns a score of zero to 5 for basic processes. That's to say, zero: is the process nonexistent? Five is: is it mature and fully implemented and measured? I understand that it's to be a tool for boards that aren't IT experts to know whether or not their organization is complying with basic measures to ensure security.
[ Page 77 ]

Can you tell this committee whether or not this measure that you've just described, which is separate from COBIT, provides those kinds of basic and easy-to-understand measurements so that this committee can know: "Oh good. We've moved from a one to a two in terms of secure access to the system"?

S. Newton: That would be a question better for the government chief information officer. I'm not aware — but the chief information officer would be — of whether an assessment had been made internal to government on the health of IM/IT systems.

D. Eby: Mr. Chair, it's difficult to respond to this series of recommendations from the Auditor General without having someone here who can talk about the IT systems within, at the very least, the ministry category.

As I understand this report, it's to instruct this committee that there's a systemic issue that needs to be addressed, and the witness who's here today is unable to answer basic questions about the systems that are in place to help this committee know whether or not we have a problem.

I don't know if there's some additional step that needs to be taken here — another witness the next time we're together or something. These are basic questions about the report, and I don't understand that Mr. Newton can answer them.

B. Ralston (Chair): Well, with all due respect to Mr. Newton, I think you do have a point there. Maybe it's a question of asking the chief information officer to come.

We can conclude the questions that we have and then deal with this — adjourn the report over and have the chief information officer come before the committee. I think that's a reasonable request. The Deputy Chair isn't here, but I'm sure he and I can discuss that and make that arrangement if he agrees.

R. Jones: Cornell just reminded me that we are doing a report that will be coming out fairly soon on an IT health check throughout government. I'll have him maybe describe for you what's going to be in that.

C. Dover: What we did is provided a questionnaire or survey to all the government organizations, including all of the ones that you see up on the table there. What it was, was their self-assessment of where they were within that capability maturity model that you were just describing — whether they were a zero or a 5.

We didn't audit that this year. We just gathered that information to set it as a benchmark. When we release that report, you will have a chance to review that, and you'll likely have further questions on that as well.

B. Ralston (Chair): Well, thank you. I think that's one alternative. But we may want to have the chief information officer here to address this particular report.

B. Ralston (Chair): Not wanting to cut off the discussion, but we do have another report which is a fairly substantive one — not that this is not substantive. I just want to remind members of that while we're proceeding along here.

I do have a question about the management letters. You did some introduction about them, but it wasn't clear to me why we don't get to see them.

R. Jones: The management letters go to the various organizations from us as part of our audit of their financial statements. They're not made public. They're not out in the public, so they wouldn't get referred to this committee through the Speaker, as most of our public reports do. I'm not sure if you'd want to see all 154 of them.

R. Jones: I don't know. If you were to ask each of the organizations to send a copy here…. I'm not sure what the protocol is for that.

S. Robinson: Right. It's just that we were getting sort of a summary of what's in these management letters, but we don't get to see the management letters. It's not really clear on how that gets decided. Just curious about that.

The other question I had. In the table there is a note that nine of the 163 organizations looked at did not receive management letters. I thought these were all based on management letters, so I'm just trying to understand those nine other organizations. Where did that information come from?

C. Dover: We didn't have any information on what the management letter points were, so they weren't included.

The last question that I had. You mentioned that as this information goes back to those school boards and universities and colleges, it will be up to them to report back to their boards. I'm thinking of one of the reports
[ Page 78 ]
that we're going to see later this week that has to do with school board governance. One of the challenges that has been identified there is that sometimes they don't understand their role. There's some lack of clarity.

I wonder where this gets lost in their ability to actually do their role, which is to make sure that these are addressed. So that winds up falling through the cracks. That's one of the things that I guess I'm concerned about and that I think this committee ought to be concerned about.

What assurance do we have that those loops, those cracks, will be addressed sufficiently so that these shortcomings can be addressed?

R. Jones: One of the things that I know our office and most of the major firms try and do with school districts or any board that maybe doesn't have the financial or IT expertise on them to deal with some of these issues is to educate them on the types of questions they should be asking so that they can try and understand. It's not always possible.

When you look at the nature of how school district boards are made up, you may not have that expertise. I would say that in four of the five school districts that we audit, there is no financial expertise on the board.

It is very, very difficult in some cases to address the issues in an appropriate manner, as we would like to see them done. A lot of the boards leave that up to their secretary-treasurers, especially in the school districts. That's probably the one area where it's the most difficult.

Most of the other organizations have enough expertise, I think, to…. I'm being very broad in that brush, but I think the expertise is there in a lot of cases.

K. Corrigan: I know from previous reports and also from my years on the school board in Burnaby that the way…. I believe the way the audits work is that most years most boards hire somebody to do their financial statement audits. Correct?

Every once in a while the Office of the Auditor General will get involved — either with regard to specific issues, like companies that school boards have, or in actually taking a greater hand in the audits — maybe every four or five years. I think that's correct, right?

K. Corrigan: What I'm wondering about is that with this very high percentage — 30 percent of audit issues were related to IT deficiencies — has the Office of the Auditor General…? Have you thought about what you could do to get at this systemic problem, given the responses that we're getting that government can't really do anything about it?

R. Jones: One of the things I think we have to remember is that this relates to our financial audits. These aren't broader audits of the IT systems within these organizations. They're more on the financial systems and the general IT control environment. That does have an impact on everything.

K. Corrigan: I guess the question is…. What you have identified is a fairly widespread problem that goes throughout Crown corporations, school boards, universities — and, to a lesser degree, health authorities — which we've been told government really has no control over. I'm wondering about whether the Auditor General's office has thought about things that could be done in order to address this systemic problem.

R. Jones: Well, we certainly encourage all of the other audit firms to look at the IT controls when they're out there, as well as our office. Each year, as I say, we identify the issues and then, in the following year, follow up to make sure that they have been resolved or that there is something in progress to try and resolve them.

I'm not sure, other than encouraging all of the auditors and ourselves to look at these issues and to encourage the audit committees to act on them, that there's much more that we could do.

K. Corrigan: I just wanted to follow up on comments and questions about school boards and a comment that was made earlier about expertise on school boards.

I know that one of the previous Auditor General's reports several years ago had suggested that maybe school boards need to…. There needs to be something about the governance and looking at the governance of school boards to ensure that there is more expertise or maybe training. But I got a little nervous when I heard that and the comments, again, made about expertise.

The reality is — and the way it should be — that school boards are locally elected officials, as are municipal councillors, as we are. This is a political process; this is not a selection process.

I think that we have to look at other solutions. It is the senior staff of the school boards who are largely responsible for ensuring that the protocols are followed. They then, of course, are answerable to the politicians in the community. But that's not the test that we use in order to determine membership on school boards or councillors and so on. I just want to make sure that's clear.

R. Jones: I must apologize if I…. What I was trying to point out was that in some cases the lack of expertise may make it more difficult for the issues to be addressed.

You're right. It was not meant to say that the whole process should be changed. What we have suggested in some cases is trying to find, in areas where maybe there isn't
[ Page 79 ]
the expertise, some volunteer accountant or something that would come on at the time financial statements were being addressed, just to help out the board.

V. Huntington: This question relates very definitely to David's and to Kathy's questions, given the ongoing nature of the Auditor General's observations on IT controls, both in ministries and across the government entities.

If I could be a little more specific in the question, then, perhaps to the Auditor General.

Comptroller General, please comment too, although I'm not sure you'd be willing to.

Would there be any value…? Or is it even possible to develop a piece of legislation that puts out the basic requirements for IT controls across the government entity that the Auditor General or the comptroller general would like to see? All entities, therefore, would have that piece of legislation that they would refer to, to meet or beat. The old process of meet or beat.

Should we be looking at a baseline of IT controls that the Auditor General and the comptroller general feel are worthwhile across all of the government entities?

S. Newton: If you're doing it based on this, this only relates to financial systems and only relates to IT controls that were necessary in order to assess how correct or accurate the financial balances were.

S. Newton: In doing that, a lot of those control requirements exist and would be required of these organizations anyway under any basic sort of IM/IT requirement. The legislation is the mechanism by which you make things happen, and that's a political decision that I won't actually comment on.

But the fact that those programs exist…. They may or may not be being followed as well as possible. I don't know if it would affect the outcome more so than a more diligent approach on behalf of the entity itself to ensure that they've got good controls in place.

S. Newton: To my mind, it's more of a management issue. I don't know if it's a legislative requirement. I think putting it in the context that the Auditor has across the whole public sector just for IT provides a different light to it.

Certainly, boards should have this information, and the piece that I do know from talking to the Auditor General is that every one of those boards got their management letter with what's wrong.

The piece that's missing that for me would make this a little bit more relevant is the "over time." Is it the same problem year over year? In that case, you've got an issue with a board that has to be addressed directly. You're not fixing it. Or is it that they're changing all the time? In that case, you've got a bit of a different problem. That we don't know, because we don't have the detail.

R. Jones: I'm going to stay away from the legislation part. That is up to the politicians.

As Stuart mentioned, the core policy manual also has some guidelines for organizations to follow when it comes to IT systems. There's lots of information out there.

IT systems are changing constantly. One of the key things is that organizations need to keep up when these systems are changing. One of the areas where a lot of IT issues are addressed is when organizations come up with their risk management strategy.

You'll see that in, I think, almost any risk management strategy that an organization has, especially where they're using — or always where they're using — IT systems. That's one of the key risks that they have to manage. It's not something that they're not aware of.

We go out there, we audit the financial systems, and we come up with these deficiencies and, hopefully, are helping to strengthen the IT environment out there within government.

Our next report, actually, the next compendium…. This was from 2011. The next one is coming out next month for what we found in last year's audits of all these organizations. There will probably be different ones that we came up with, and there will probably be some that haven't been resolved yet. When we next talk about the 2012 report, we can update you on where that's all at.

V. Huntington: Just to follow up on something that Stuart said, you mentioned that you know that each of the boards of these entities has received or seen the management letters. Is that true?

V. Huntington: What is this committee in relation to the function of a board? Are we able…? Again, we come back to this management letter issue. How can you assume accountability if you're not aware of some of the specific issues?

B. Ralston (Chair): I'm not going to answer it at the moment, but we're thinking about it.
[ Page 80 ]

L. Reimer: My question is very similar to Kathy's and Selina's and Vicki's. Clearly, this shows a bit of a trend for universities and colleges, school boards. A statement was made earlier that perhaps those who have the resources are able to easily fix their problems and where those who don't, can't.

Given that the ministries fare quite well in this, with only one issue identified out of 18, is there a propensity there for the ministries to provide some assistance to these respective universities and colleges — in that case, it would be the Minister of Advanced Education and, in the case of school boards, the Minister of Education — to provide some in-kind assistance or something to those organizations that would allow them to fix what they need to fix?

S. Newton: Earlier, before the report, we were talking. One of the questions that I'd posed to Russ in relation to the management letters and some of these findings is that perhaps, if you grouped some of the findings, like the ones related to schools…. Have a conversation with the ministry about that to determine what the ministry can do in relation to the legislation it has governing the specific entities that they're responsible for.

The way the governance works is…. I'll get a little bit into the Crown governance. A Crown is set up by a specific piece of enabling legislation. Usually a ministry holds that piece of enabling legislation. It sets the powers, rules and responsibilities in relation to that entity.

If you look at my authority under the FAA — and I'm pre-empting some stuff on Thursday — I have responsibility to direct ministries in relation to financial control, but I wouldn't in relation to a Crown. However, the ministry, through its relationship with the Crown, may or may not, depending on what's in the legislation, have the ability to direct the Crown to do something.

However, having said that, the ministry has an ongoing relationship. So the conversation we had was: "Could those management letters in relation to those entities be shared with the ministries so that the ministries could then talk to the Crowns?"

L. Reimer: Yeah, and I'm not even suggesting that the ministries dictate, necessarily, to the Crowns or to the school boards or anybody else but rather that they say to them: "Look, perhaps we could provide some assistance. Would you like some assistance?"

L. Throness: Just a couple of questions. I found it difficult to put this one in concrete terms, because it was quite vague and non-specific. Things like "plans not in place," "protocols not enforced," "management poor" — these are all sort of very general.

Was there any evidence that anything bad actually happened? Or is it that people weren't adding a number and another character into their passwords? Were these technical deficiencies rather than representing actual violations of law?

R. Jones: In a lot of cases what it represents is gaps that we find within the controls that are in existence so that it could leave the organization vulnerable to concerns.

R. Jones: Not in every case. There may be some cases. Violation of law, I think, is maybe a little strong. It may have gotten further than a management letter, if that was the case.

For instance, I know that one of our entities didn't have a disaster recovery plan in place. That's a gap in the controls that they should have in place for their IT systems.

L. Throness: So given that you limited your intervention to a management letter suggests that there were no violations in law represented by the deficiencies that you found.

R. Jones: We don't look for that, necessarily. We're looking at the controls that should be in place over the financial systems where IT is used.

We don't go in looking for fraud is, I guess, the answer. If we had come across something that gave us concerns around fraud, then we would have followed it up.

Could it be that since July '12, when this came out, the 163 reporting entities, which are not here to answer what they've done in response, have actually cleaned up these issues?

R. Jones: It is quite possible that the majority of the issues we brought up at the end of 2011 have been addressed. That will be shown in the 2012 report that comes out next month.

S. Simpson: I guess to follow up, I find this process just a little bit frustrating. We have 94 issues identified up here, only two of which we can talk directly to be-
[ Page 81 ]
cause they're ministries. There's nobody to talk to the other ones, essentially. We have 154 management letters that we haven't seen, and we have no idea what's there. As Laurie says, it's somewhat vague.

What we do know is that we have this list of concerns about poor account management, issues around passwords and changes to passwords, separation of duties being inadequate, strategic plans and policies that don't exist or aren't kept up to date, staff training that's not kept up to date and insufficient contract management processes to hold contractors or service providers accountable for deliverables.

There's a long list of things here that, while they're a little bit vague as to what they mean, raise flags about what they actually do mean. Presumably, the letters would give us a better idea of what that actually means, and maybe they would provide some clarity to the questions that Laurie asked.

I have a concern about this. When I think back to a previous report from an Auditor General…. I sit on LAMC, and I seem to remember the Auditor General slapping us around pretty good about oversight and our need to improve oversight. They were absolutely legitimate — the criticisms that were made of LAMC at that time — and clearly, the Legislature has taken some steps to try and improve how we deal with those things through LAMC.

It seems to me that we have challenges and responsibilities around oversight here. That means we should be able to access information that allows us to satisfy ourselves. I've got to say that I have a problem with not seeing these letters. I'd like to have the opportunity to go through them in some fashion and, if we find one, two, three, four, ten, 15 of these entities where there are significant issues, to then invite the people from those organizations to come and talk to us about why that's the case and about how they have addressed the issues that the Auditor General has raised.

We have no ability to do that, because we have no clue about any of that without access to that information. That's a frustration I have, and I think it seriously compromises the ability of the Public Accounts Committee to do its work. We need to do better on that. That's a problem that I have. Having said that, I'll get to a specific question for the Auditor General.

We have seen, over the past couple of years, a number of instances in the media and in public where we've heard about IT issues, costs of putting systems in place — I believe in the K-to-12 system about a system put in place and then essentially set aside and a new system needing to be put in place at some point on that.

My question to the Auditor General: have you done any assessment of how much money in total you think government has expended with IT by not having been able to address these issues or where the cost issues are there — in the tens or hundreds of millions of dollars of government money that have been spent to deal with this litany of challenges around IT?

R. Jones: No, we have not taken a look at how much money has been spent on IT systems across the government entity. We do have a three-year IT plan that we are putting together.

As I mentioned, we're currently looking at a couple of other systems right now around security, but we also take a look at focusing in on large IT projects which may be much like P3s that are going to be undertaken. We take a look at large IT contracts, like the Maximus contract, I think, and ICM, which we're looking at.

So we do have some things in our plan. But have we actually taken a look at the total amount of spending and whether or not there was good value for money in it? Not that I'm aware of.

S. Simpson: Just one follow-up on that. You mentioned ICM. It's a system that I've learned a little bit about from, mostly, frustrated organizations that have had to use that system in order to fulfil the responsibilities of their contractual arrangements with government around service delivery — unemployment programs and things like that. They have frustrations about that, and a whole range of them.

Then, on those systems, when you look at that, you're exploring how those systems function. I know the groups raise concerns about whether they're getting proper training and whether their technologies in fact are compatible, in ways that make sense, with government technologies, to be able to use those systems and deliver on their obligations in terms of data and those things. Those are issues that you're looking at?

C. Dover: When we look at some of these IT projects, what we're looking at is: have there been any expected benefits defined from why we are building this new system? Then we look at: is the system actually going to be meeting those benefits?

I'll look at…. If it's supposed to be better user access, have they actually implemented access controls properly? If it's supposed to be faster access by the public, we would probably look at how that is actually happening. Is the data supposed to be accurate? We'd look at the database and how it's collecting, storing and processing information as well.

To shorten up on that, we're looking at: what were the expected benefits of the system, and is the system actually meeting that?

M. Morris: I see a bit of a flaw, perhaps, in the process that we have here right now — some of the comments I've heard. We have requests to see management letters, which I think is getting down into the macro-level man-
[ Page 82 ]
agement of the way some of these organizations operate. I think we're prejudging or perhaps trying to establish what action these particular levels of school boards, hospital boards — whatever the case might be — have taken as a result of the management letters they've got.

I think perhaps we're premature. Maybe this committee should be sitting and listening to the complete package. So once the entities have reviewed the management letters and they've taken their steps and there's been a compliance review or a compliance audit with respect to that, then that's probably the time that we should be looking at that.

To jump in midstream and pass some kind of judgment that the organization isn't taking the proper steps might be a little bit premature.

R. Jones: It is an ongoing process. The fortunate part is that when we finish our financial audits and we discuss these with the audit committees — say in May, after following a March year-end — management is already, if they're on the ball, doing something about what we've brought up, because the audit committee has asked them to do it.

We've identified where there's an issue, and throughout the next four or five months, hopefully, they do something and get it done. Then, when we go back in to do our first what we call interim audit in the fall of that year, we'll look to see if they've done something.

No matter when you get to look at this report, there's a dynamic where something's happening. It will be very, very difficult for you to get a good sense, other than to rely on our confirmation to you, that the entities are doing something about the issues we're bringing up.

Probably, the ones that are of more interest are where we have made a recommendation and nothing's been done on it. Those would be ones that I think you should be concerned about, because, as I said, we wouldn't put a recommendation in a management letter unless we felt it was significant enough to put in there and was cost-effective to implement controls on.

M. Morris: Just one follow-up, if I may. From your experience in this process, how often are your recommendations ignored by the various entities that you audit?

R. Jones: I'm trying to remember the percentage, but I think we're probably close to 90 percent that are usually followed up on in the financial audits.

The ones that are the hardest for a lot of the organizations are the disaster recovery plan ones, because they try and correct all of the ones that impact their daily lives. Even though the disaster recovery ones could impact their daily life at some point, they're harder for them to get to. They do have it on sort of their priority list, but it's not number 1 or 2. It's usually down a little bit.

D. Eby: One of the members was asking about whether there had been actually a breach of law related to this or whether these were technical matters that were maybe a character in a password. I understand that this report focuses on incidental information that the Auditor General discovered during financial audits. We're just talking about financial processes here.

Certainly, any of the members can visit the Privacy Commissioner's website and read about very serious disclosures of personal electronic records and, most notoriously, in 2011 an ICBC employee accessing the personal information of staff members of the Justice Institute of B.C., who were then targeted for shootings and arsons. I mean, this is a very serious matter related directly to information security management and an issue of incredible seriousness.

I wanted to clarify with the Auditor General that these aren't technical breaches that we're talking about. This is a pattern that you're identifying that was serious enough to merit issuing a full report and that we need to act on. This isn't something that is a matter of password protocol.

G. Kyllo: Obviously, all levels of government, Crown corporations and even the private sector are becoming more and more reliant on information technology systems, and you'll never get to a point in time where everything's 100 percent. But I think, from some of the things I'm hearing, that it might be helpful with some of the items that you're identifying in the management letters….

I know from my prior experience with quality assurance programs and external audits that they're kind of broken into minors and majors. If we could identify what would be deemed to be a minor infraction, like potentially not changing passwords on a regular basis with respect to…. I guess the other thought would be a major, which might be the lack of a disaster recovery plan.

As well, I think by looking at just the quantity of numbers, the challenge is that…. If an organization stays status quo, they can easily address all of those issues. But in an ever-changing environment, you indicated they may be able to solve one problem and yet another problem rises in its place.

Again, I think that as a group, if we had some indication of which organizations are actively, aggressively, I guess, going after and undertaking the recommendations that you've made…. Just because from year to year you may even see an increase in the number of, say, minor non-conformances, that doesn't necessarily mean that they're getting worse. If they've implemented new sys-
[ Page 83 ]
tems, we may see additional problems coming in.

For myself, I think it would be beneficial if we had some input or provided some information as far as what would be deemed to be minor infractions and which would be majors and then which ones there has been no activity on. I think that, just unto itself, would provide those organizations with some concern or maybe potential fear of being reported out on the fact that here are some items that they're not taking any action on. That would be helpful for me, from my standpoint, in any event.

S. Gibson: Having worked at a couple of universities, I affirm that to some extent…. I guess the question I would like to ask is….

In hierarchical organizations the people at the top, the people that are getting the brunt of the prescriptive material, will tend to want to address it in order to assuage those who are monitoring them. But the further you go down the organization, the less concern there is to make any changes, often.

For example, I'll see people at an unnamed university sharing passwords, that kind of thing. "Oh, you don't have your password; you can use mine today," right? But you wouldn't get that at the upper levels where people have access to more information.

I guess my question is more communications, or maybe it's a pedagogical question. Okay, you've got some prescriptive information. How do you ensure that people down the organizational chart also see the gravity of the recommendations — that it's not just adopted at the top cosmetically, but it goes down to levels where it actually makes a difference? That's my question.

R. Jones: In the process, when we go in and we take a look at, say, IT general controls, we don’t just deal with the people at that higher level. We actually talk to department managers and whatnot, and we clear all of our findings at that level so that if we've come up with a deficiency, they are aware that it is one. Then they usually inform up the line how they're going to deal with it.

So by the time we get to the management letter point to the audit committee and to senior management, it's been vetted down at some of those lower levels. It's then up to management and the audit committee, though, to ensure that that gets enforced down at those lower levels. All we can do is take a look when we come back the next time and see if it's been acted on or not.

As I say, we go through all of these in great detail with management, if we figure that they are significant enough for them to have to put a control in place. They're not usually trivial. The trivial items we can deal with quite quickly with management, and we won't write them up. It's just not our nature to do that. But something that's significant enough that we think it warrants action at the audit committee level — that's where it goes.

What I'd like to do is just adjourn debate on this and have a discussion with the Deputy Chair — not now but in the immediate future — to this issue of whether we want the chief information officer to come back to comment on this report. So with your agreement, I would adjourn debate on this report, and we can move to the next one.

V. Huntington: Mr. Chair, I wouldn't like to lose, in going forward, Linda's comments about whether or not there is opportunity for the ministries to work within certain of the entities and assist them, if possible and, also, Greg's comments about prioritizing the actual issues that they're finding and providing us with information on those specific issues that the entities are failing to change. Those are both valuable comments that I think we shouldn't lose in term of the recommendations.

B. Ralston (Chair): Again, I can discuss those with the Deputy Chair. Those are good points.

With your agreement, then, we'll adjourn debate. I'll allow a minute or two for the transition of staff, and we'll move to the next report, which would be An Audit of Biodiversity in B.C. So if we could maybe just take a minute or two to switch over.

Okay, perhaps we can begin. Auditor General, would you like to introduce the new members of your team that have joined you at the table?

Auditor General Report:
An Audit of Biodiversity in B.C.:
Assessing the Effectiveness
of Key Tools

R. Jones: I certainly would, Chair. On my immediate left is Morris Sydor, assistant Auditor General in charge of a whole bunch of things in the performance audit sector, but environment is definitely one of his key responsibilities. Next to Morris is Ardice Todosichuk, who was responsible for helping out in writing this report and was in charge of it.

For something entirely different from what we've just been talking about, we're going to talk a bit about biodiversity. As you can well imagine, biodiversity is critical to the health and well-being of all British Columbians. Managing it is a difficult and complicated task, however — one that government has a pivotal role in, in ensuring its conservation. Yet what we do find, and you will see in this report, is that it is in decline at the moment.

B.C., in Canada, is one of the most biologically diverse provinces. This audit looked at the conservation of biodiversity on Crown land and focused on habitat pro-
[ Page 84 ]
tection actions. We found that the government doesn't know if its actions are conserving biodiversity, and we identified several barriers, in this report, to government being effective. Those include a lack of information, gaps in legislation and poorly implemented policies and tools.

Another aspect critical to the conversation of biodiversity, as I just mentioned, is habitat preservation. And 20 years ago we took a look at government's habitat conservation efforts, and many of the issues identified in that report were also identified in this audit.

We do have an opportunity, though, right now. The United Nations declared 2011 to 2020 as the Decade on Biodiversity. B.C. has an opportunity to be an international leader in this area and bolster its reputation on the world stage by 2020, by reversing the current decline in the province's biodiversity.

I'd like to turn it over to Morris and Ardice to take you through the presentation that we have.

A. Todosichuk: British Columbia is Canada's most biologically diverse province because of its complex geography and varied climate. However, recent assessments have shown that many of its species and ecosystems are declining. In B.C., 94 percent of the province is Crown land. How that land is managed is pivotal in conserving biodiversity.

Understanding and managing biodiversity is a difficult and complicated task. The B.C. government has been involved in initiatives to conserve biodiversity for a long period of time. Since 2006 one of the goals of the Ministry of Environment has been to maintain healthy and diverse native species and ecosystems across B.C. The audit purpose was to determine whether the B.C. government is effectively conserving biodiversity in the province.

(1) Does government have a clear understanding of biodiversity in B.C.? In other words, does government have sufficient and reliable information on biodiversity?

(3) Is government measuring and reporting publicly on its progress towards conserving biodiversity?

The two ministries that were part of this audit were the Ministry of Forests, Lands and Natural Resource Operations and the Ministry of Environment.

Having adequate inventories of biodiversity is a common problem for most jurisdictions. Nevertheless, government needs a basic amount of good-quality information with which to understand the status of biodiversity in the province and to make well-informed decisions about its conservation. We expected government to be systematically collecting sufficient and reliable information on biodiversity.

What we found is that there are significant gaps in government's information. For example, parts of B.C. have never been surveyed for species distribution, and in areas that have been surveyed some of the information is now decades out of date.

We found that government has not developed a strategy for filling these gaps. One of the primary causes why these gaps are not being addressed and a strategy has not been developed is that the ministry is dependent on sporadic funding.

Finally, we also found that the quality checks on the reliability of the information that is gathered is sometimes lacking.

For actions to be effective in the conservation of biodiversity, we expected government to have a legislative framework that supports the conservation of biodiversity, a method to prioritize the actions needed to conserve biodiversity, and accountability for those actions; and to assess and monitor its actions to ensure that they were being effective.

We found that B.C.'s legislative framework does not fully support its objective of conserving biodiversity. For example, legislation to conserve species and habitats doesn't apply equally to all industries. The regulation for the Wildlife Act has not been introduced, even though the amendment was completed over eight years ago. Few species at risk are actually protected under the province's legislation.

Current literature indicates the job of conserving biodiversity is far greater than the resources that are available. We found that government cannot demonstrate that its prioritization tool, the conservation framework, is effective. The tool has not been kept up to date and has not achieved its goal of informing conservation actions and decisions across the province.

Government has created a number of plans for conserving biodiversity, including the wildlife, ecosystem and freshwater fishery program plans. However, the lack of assigned responsibilities and timelines within these plans make it unclear how much progress has been made and if these plans are being effective.

Biodiversity includes genes, species and ecosystems. For this audit we focused on species and government's conservation of their habitat at the local level. According to studies, habitat destruction is the main reason species become extinct, and preventing the degradation of habitats is the most effective way to conserve biodiversity.

We looked at the government actions regulation under the Forest and Range Practices Act because one, the Ministry of Environment has used these habitat designations as a performance measure for its objective of conserving native species and ecosystems, and two, because government has stated this act is a critical piece of legislation for protecting these habitats.

These areas created under this regulation are not considered protected areas but instead are constraints to industry. What we found was that of the five habitat designation tools we examined, only three were being
[ Page 85 ]
implemented, and most had not identified what habitat was required to conserve the species. This lack of specific targets for protecting habitat on a provincewide basis was one of our key findings in an audit we undertook over 20 years ago.

We also found that habitat designations are not being sufficiently monitored. The objective of the forest and range evaluation program is to evaluate whether practices under the Forest and Range Practices Act are meeting the intent of the act's objective: sustainability of B.C.'s natural resources. Six years since its inception there's been very little monitoring of the habitat protection areas.

Reporting on the state of biodiversity and documenting its actions to meet its national and international commitments are important steps for government to demonstrate its progress towards conserving biodiversity.

We found that government is not adequately measuring or reporting publicly on its progress. The performance measure that has been used — number of completed designations under the Forest and Range Practices Act — does not indicate whether government is achieving the outcome of ensuring healthy and diverse native species and ecosystems. We also found that government is not reporting on meeting its national and international biodiversity commitments. In 2010 the U.N. found that government had failed to reduce biodiversity loss.

We recommended that the ministry make a long-term commitment to collect sufficient and reliable information, review its legislative framework, assign responsibilities and timelines for its conservation actions, fully implement its habitat designation tools and determine whether other tools are necessary, complete sufficient monitoring to assess the effectiveness of its actions and report periodically to the Legislative Assembly and the public.

Response, then, from the ministries. Perhaps you could introduce yourselves first.

M. Zacharias: Thank you, Mr. Chair, Deputy Chair and Members. My name is Mark Zacharias, with the Ministry of the Environment. To my left is Tom Ethier, the assistant deputy minister at Forest, Lands and Natural Resource Operations. To my right is Alec Dale, executive director of ecosystems branch in the Ministry of Environment.

B. Ralston (Chair): You have a title there as well, Mark, so perhaps you should just….

B. Ralston (Chair): Environmental sustainability and strategic policy division, Ministry of Environment. That's what it says here in my papers — just for the record, so we're clear. Go ahead.

M. Zacharias: As this deck gets tooled up here, I just wanted to thank the OAG. It was a very collegial and informative audit. Overall, we accept and we agree with all six recommendations. I'll go through each one in a little bit more detail in a couple of minutes here. I won't take too much of your time, so we can get to questions. As such, I will quickly paraphrase some of the recommendations. I'll also explain any acronyms that we're using such that there's no confusion around kind of what the various tools are.

I will jump to recommendation 1 here. In my own words, it's to collect information on biodiversity and apply this information to make informed decisions. We've committed to do three things under this recommendation.

First, we've committed to improve how data are collected to support status assessments and legal listing decisions. What this entails is two parts. One is aligning our IM/IT systems as well as aligning our data submission policies so that information, when it comes into government, can actually be used to track and assess biodiversity.

Our second commitment on this piece was to identify options for long-term funding for inventory monitoring and reporting. We have two major pieces that support this commitment. The first is what we call EMOP. It's the environmental mitigation and offsetting policy. It's referred to in the Auditor General's report, but we've actually got a formal title for it.

What the EMOP does…. I'll speak to it a number of times throughout this presentation. It's a policy for developing mitigation plans to address the impact on environmental values. It's a policy for both proponents from industry as well as for government staff in adjudicating these plans.

We also have the ability, under our second piece here, for the environmental assessment process to put conditions on their environmental certificates that allow and require proponents to collect information.

The third commitment under recommendation 1 is to supplement our species-by-species management to manage ecosystems or ecological communities to better capture values such as invertebrates or mosses. How we're planning to do this is we're going to update our conservation framework, and we're going to move to more of a threat-based assessment or management of species at risk. I'll talk about the conservation framework in a couple of minutes here.

On recommendation 2. Broadly, this is to review our legislation related to biodiversity conservation, and we three have commitments against this action. The first is to look for gaps, duplication or inconsistencies in our statutes. This is underway right now. It was a commit-
[ Page 86 ]
ment in our species-at-risk five-year plan. It's also foundational as part of our natural resource sector — that's the NRS — transformation plan, looking at all aspects of the businesses of the six ministries that constitute the natural resource sector.

Our second commitment is to mitigate impacts to biodiversity values. Again, this is our EMOP, environmental mitigation and offsetting policy. We are rolling out training to staff in 2014. The policy has been through several iterations of public and stakeholder comment. We'll be using that to impact and mitigate for biodiversity values.

Our third commitment is to explore methods to promote voluntary protection of species at risk on private lands. We're working with UBCM and their local government working group to look at and explore incentives to promote stewardship on private lands.

On recommendation 3. What this is, is we are going to figure out who is doing what by when and how these actions will improve biodiversity outcomes. We have two pieces to support this recommendation. The first is to review the priority-setting process of the conservation framework. The conservation framework was approved a number of years ago. It was last updated in 2009.

It is an effort to prioritize the conservation of species and ecosystems. Prior to 2009 we basically prioritized based on extinction risk. What that meant was we often invested recovery efforts and significant resources into species that might just be marginal in B.C., and we would miss other species such as the mountain goat or mountain sheep that we do have a global responsibility for. The conservation framework allows us to look at our return on investment and conservation options and invest our efforts in the best way possible.

What we're doing with the conservation framework right now is we are working with staff from Australia and New Zealand to integrate a prioritization update into our conservation framework. That's undergoing right now. I believe it will be done over the next several months.

The second commitment under recommendation 3 is to use what we term an ecosystem program plan. This is fundamentally our business plan to capture all of these improvements and then make sure that these improvements and the ecosystem program plan is being used in all aspects of natural resource decision-making.

Moving on to recommendation 4. The recommendation was to implement existing habitat designation tools and review whether these tools are effective. We have two actions under this recommendation. The first is to review our Identified Wildlife Management Strategy. We call this IWMS for short. What the IWMS does is it addresses forest and range impacts on Crown land. This work is nearly complete. It has been underway for some time. There are some draft recommendations which have been completed, and it should be published in the next couple of months.

The second action under recommendation No. 4 is to complete a plan to implement our designations and explore whether new tools are needed. This is on track. What we're doing is we have a number of project plans to figure out what designations are not complete and, also, what future designations may be required.

Under recommendation 5: fundamentally monitor in a way that we can determine whether our actions are conserving biodiversity. We have two commitments under this recommendation. The first is to expand FREP, which was discussed by Ardice — the forest and range evaluation program. This is under the Forest and Range Practices Act, and what it does is it looks at the effectiveness of resource management practices under lands used by forestry or range.

The FREP program is actually very useful, and it's a nice jumping off point to look at expanding and including other biodiversity values into the program. FREP already has funding attached to it, so we're looking at including other biodiversity values within the program outside of just immediate forest and Crown lands.

The second commitment is to find partners to assist with biodiversity monitoring. This is ongoing as well. We have one side of the continuum — for example, the Breeding Bird Atlas, in terms of citizen science. We're also using the environmental assessment process whereby certificate conditions can be used to have proponents again collect data over the long term that we relate to biodiversity. We also do a number of other pieces, partnering with other levels of government, First Nations, industry, foundations, etc.

Recommendation No. 6 is to report out on our progress. We're doing two things under this recommendation. We are adding more biodiversity values to our SOE reporting. SOE is our state-of-environment. Our last state-of-environment report in hard-copy format was 2007. Since then we've moved our state-of-the-environment reporting into more of an on-line-based reporting structure. We have one new measure of biodiversity already added. That's the change in status of vertebrates in B.C, and those are native vertebrates.

The last commitment is to link all of our different reporting, inventory and analysis programs together. This is a commitment in our species-at-risk five-year plan. We envision this kind of falling under our cumulative effects framework by which all of our initiatives that track and monitor biodiversity would report up corporately. Anybody wanting to know about status would be able to query a system and find that out.

N. Letnick: Thank you to both the AG's office and the government representatives for their presentations. After reading the report, I just went on line to see how we're doing in B.C., and I'd just like to make sure my numbers
[ Page 87 ]
are right.

In 1996 the province had a goal of protecting 12 percent of the land base by the year 2000, and at 1996 we were at 9 percent. Today, according to some reports on line, we've exceeded 17 percent of the land base which is protected. The reason why I bring that up is that throughout the reports, it seemed like one of the key ways of protecting biodiversity was protecting the land base, putting aside land which cannot be used for other purposes.

My first question is: are those numbers accurate? Are we at 17.5 percent of the land base that's protected in some way or another? Then, I do have other questions, but I'll wait until my colleagues have had a chance to dive in.

M. Zacharias: Currently 14.4 percent of B.C. is protected in B.C. parks, protected areas, ecological reserves or federal parks. The total percentage of B.C.'s land base that is protected for one or more values and managed for conservation is 37 percent.

N. Letnick: If I can just follow up on that. How does that compare with the rest of the country?

M. Zacharias: That's a good question. We think we're doing very well, but we don't have the numbers in front of us.

N. Letnick: Okay, and I assume that compares well with our history. It's more than we've ever had before.

N. Letnick: I always like to compare whenever reports come like this. How does that compare with other jurisdictions, and how does it compare over time? I think that's the fairest way to analyze any project, right? That's good to know. Thank you. I'll save my other questions for later.

G. Heyman: I have a number of questions. Perhaps I can get a couple of them out and then…

Given that MLA Letnick has raised the issue of how much of the land base we've protected, let me throw in a question that, frankly, flows from that, because I think it's important to have this on the record.

Perhaps you'd like to comment, Mr. Zacharias, on the meaningfulness of protecting a certain percentage of the land base with respect to biodiversity if the actual areas of land aren't connected with migration corridors and all the other things that are necessary to ensure that the land that's protected is directly relevant to the protection of species and to adaptation in the face of climate change.

M. Zacharias: The member is correct that connectivity is exceedingly important, particularly as climate change becomes more in the province and, basically, species move northward and move upward in elevation.

I don't have the numbers in front of me, but I'd be happy to provide a copy of a scientific paper that looked at connectivity in protected areas in B.C., particularly our large protected area complexes up in the eastern side of the province and the north side of the province.

G. Heyman: That would be great, and I'm sure I and other members of the committee would be grateful to receive it.

I think, if my memory serves, B.C. is blessed with perhaps the greatest diversity of species in Canada, as well as — and there is some actual connection between this — the greatest number of species at risk.

Similar to the Auditor General's report finding significant gaps in our efforts and tools and activity with respect to protecting biodiversity, West Coast Environmental Law recently observed that our environmental protection of our landscapes is fragmented, inconsistent and is not consistent with what scientists say is needed to conserve species biodiversity.

My first question is…. Given the large diversity of species we have in B.C., it's interesting to me that B.C. is one of, I think, only two jurisdictions in Canada without explicit species-at-risk legislation. In 2011, in response to a government commitment, a task force called the Species-at-Risk Task Force was established to recommend measures to protect species at risk.

What follow-up measures are taking place that are actually based on the recommendations of the task force? In your view, do the responses and actions of the ministries that you've outlined today actually align with the recommendations of the report?

A. Dale: I'll try my best to answer that question. As the member mentioned, the task force report did come out. Folks around the table may be aware that this past spring we produced a species-at-risk five-year plan for the province of British Columbia. It is on the web right now. It is draft, currently. We put it out for public comment. We have those comments back now, and we're currently working on finalizing that plan.

That plan is entirely based on the response from the task force. It addresses, I think, something like 98 percent of the comments from the task force. I can tell you that our response on the audit is very aligned with those. In particular, any of the ones on species at risk are aligned with our SAR five-year plan, which is also aligned with the task force report.
[ Page 88 ]

G. Heyman: My follow-up is twofold. One of the significant challenges that we face in understanding what measures are necessary to protect biodiversity and species at risk is data. You've talked about data systems, but you haven't talked about our ability to actually collect meaningful data. So my question is twofold.

What challenges do you think we face? And this is also a question for the Auditor General, if you care to comment. We've seen a successive reduction of capacity in the ministry to actually have people on the ground who either monitor industrial activities in sensitive areas or to simply monitor species in general or the state of species around the province, and that goes to how we get the data that goes into the system. The first part of my question is: what are the challenges that relate to actual insufficient feet on the ground, if you will, to help us with this?

The follow-up to that is…. The measures that you've outlined that you're taking in response to the Auditor General's report you've talked about…. And I thank you for that, in response to my question how they might align with the Species-At-Risk Task Force. How do they align, or are they consistent with what are considered the international norm standards and best practices respecting the protection of biodiversity?

Let me be clear. I'm hoping you won't point to some alignment with a particular jurisdiction. I'm talking about best practices and norms.

M. Zacharias: To the member's question around what challenges we face with respect to inventory and monitoring of biodiversity, there are a number of ways to answer that. One is we are looking at ways where we can invest in either the structural, functional or compositional aspects of biodiversity. Again, that's part of looking at, overall, how we're going to align our inventory efforts going forward around climate change, around anticipated resource development, around demographic and population changes.

We are building that into the species-at-risk five-year framework. I would also submit that we're also looking at this through our conservation framework and updating the framework with the new prioritization pieces that Australia and New Zealand are doing. I'd be happy to share some information with the committee on that piece and how that's going to look.

We do have challenges around information in certain areas, particularly areas that do not have large population centres. We have reinvested in inventories over the last several years. In the northeast of B.C. — I can't quote you the exact number now — we did spend some considerable resources in 2011 and '12 in terms of doing wildlife and fish surveys up there in anticipation of unconventional gas development.

We also continue working through our environmental mitigation policy whereby we have proponents now…. They're investing in long-term inventory and supporting inventory for those areas that are in their project proponent footprint — and not just the footprint of where their activity is going to be but within the watershed and the ecosystem as well. That's a new business area for government.

We also have a number of other pieces that are leading to what I would say would be improved monitoring and inventory outcomes. For the first time, under the Environmental Management Act, we've instituted an area-based management plan. It's the first time we've done that in the province. With that plan, that plan is compelling Teck Coal in the Kootenays to develop and fund monitoring programs into the future as well, to look at biodiversity in some of the watersheds that flow into Lake Koocanusa.

To your question, there are a number of discrete programs operating, depending on the threats to biodiversity in the province. We are looking at: how do we knit those together into some integrated fashion that would support, particularly, cumulative effects moving forward?

A. Dale: Specifically around your question about other jurisdictions and some of the new things that are happening, sort of best management in terms of trying to assess biodiversity, one of the things we are putting a great deal of effort into is citizen-based science. One of the examples was our Breeding Bird Atlas or breeding bird survey. That's a survey that's been done across the entire province now, so we have a very good understanding of what the bird population in B.C. is doing.

That's run by an outside agency. The province committed funds to that. I think it probably…. The value of the information coming back is about 10 to 1 in terms of our commitment to fund that program.

That is very much a piece that other jurisdictions are starting to look at, simply because of the high cost of getting people out on the ground.

With respect to our data policies and data collection, we're also looking at new ways of capturing that type of data coming in, which has been completely new to us. That's also part of the data aspect.

B. Ralston (Chair): By citizen-based science, it sounds like it's an organized and coordinated volunteer effort according to certain criteria. Is that what you're saying?

A. Dale: The Breeding Bird Atlas was very coordinated by…. I can't remember the name of the organization now.
[ Page 89 ]

A. Dale: Yeah, Bird Studies Canada. So it's an NGO that's across the country and does this in all provinces. We're also relying on….

One of the aspects around, one of the threats to, biodiversity is invasive species. We're looking at ways now for regular citizens to have an app on their iPhone to take a picture of something that they're not aware of and have it come into government and have it identified. If it's an invasive species, we can get people out dealing with that issue. So there are some pretty neat opportunities.

G. Heyman: I was wondering if the Auditor General or any of the people with him have comment on the questions.

M. Sydor: Certainly our report did indicate that the ministry is challenged in terms of resources. I think we did point out that there's a lack of expertise in some areas. Particularly, we did point out that the sort of level of inventory that one would expect isn't there. Much of the information that we examined tended to be dated, and there are some areas where surveys haven't been carried out entirely.

I recall just looking at a story about grizzly bears in the newspaper about a week or two ago. There was a reference in there that only 15 percent of the habitat areas had actually been surveyed. In terms of our understanding of grizzly populations, there's a large reliance on the expertise of people, expert opinion and computer models. So there are a number of areas where our report had indicated, again because of just resource issues, the ministry isn't at the level that we had expected.

At the same time, the movement to an ecosystem-based approach and utilizing resources outside of government are obviously positive steps. I think there's a general recognition that rather than focusing on individual species, what we need to do is make sure that the ecosystems are maintaining their structure and functionality. That certainly seems to be the direction that the ministry is moving towards.

D. Eby: I was reading about a dispute with Coastal First Nations and hunting outfitters about black bear populations and the sustainability of hunts. I can't help but reflect on that in light of this report, the importance of biodiversity information and assisting different sectors of our economy — the Coastal First Nations worried about wildlife viewing, the outfitters worried about hunting tours — to balance the needs and understand each other in the available resources.

In light of that need for balance between competing sectors of our economy that are dependent on biodiversity in one way or another, I'm very concerned that, in the response to this very damning audit about the province's level of knowledge of what animals and plant species are where in the province, many of the suggested responses won't be in place until 2017, 2015. Just as one example, a review of the natural resource sector legal framework to identify gaps won't even be initiated for four years, until 2017.

I would like to know whether this delayed response is due to a lack of resources being dedicated to either these issues or generally within the ministry. It seems to me that these are very critical environmental and linked economic issues and that they deserve a much higher priority than four years just to initiate a review.

It is a question that we are always, in terms of trying to manage for the variety of interests on any wildlife population….

You bring up the ongoing kind of dispute around the management of bears on the coast. What goes into that decision-making is a fair amount of science that is used in terms of trying to understand the distribution of habitats that support bears — some of the inventory that we do, and understanding the kind of densities associated with those habitats and then corresponding that with what we know in the literature. This is a little bit beyond what the audit is here, but we end up with population estimates in different areas of the province. From those population estimates we then make management decisions.

On the central coast this has been a known issue for a long time in terms of First Nations interests, wildlife viewing interests and hunting interests. We continually sort of strive to try and achieve a balance here.

We've come through the central coast land use plan and the north coast land use plan that resulted in a number of conservancies and a number of areas closed to grizzly bear hunting and also areas closed to hunting of black bears, especially associated with the kermode. So the precision of information that we do have in terms of animal distribution and numbers of them and numbers that are harvested is pretty good.

We also have a good understanding of where the wildlife viewing opportunities are. We try, if there's a safety concern, to manage for those values there so we don't have hunts occurring when people are just viewing bears.

The example, maybe, that was given there in terms of our management response or trying to address that issue is not the same as the one where we identify the one, three or four years out, where we're doing a legislative review to look at how we're going to achieve biodiversity objectives.
[ Page 90 ]

D. Eby: Perhaps to clarify for the ADM, the Auditor General concluded three key points. One is that significant gaps exist in government's understanding of biodiversity in B.C. The second was that government does not know whether its actions are resulting in the conservation of biodiversity. Third is that government is not adequately measuring and reporting on its progress in the conservation of biodiversity. I used, as just one example, the black bear just to illustrate the importance of biodiversity to our economy here in British Columbia.

My question is simply this. When I scan down the list of responses of the ministry, I see that there are responses that won't be implemented for years in a very serious matter. My question to you is: do you have adequate resources to act in a manner that reflects the urgency behind this report?

M. Zacharias: To the member's question around the legislative review, we committed to starting the review in 2013. It will take a couple of years, and the reason for that is, well, several-fold.

One is that we have some statutes that need to be passed that will contribute to biodiversity. The water sustainability act would be one we're working on right now. The second one is that we do have quite a few natural resource statutes, and it will take considerable time for staff to kind of work through those. Then the third piece of all of this is that we're also looking at the business of the natural resource sector through the one land manager of lands. How that business is basically reorganized or rethought will actually depend on and it'll actually impact what our natural resource statutes look like going forward around biodiversity.

A. Dale: I'd just like to address the gaps issue. One thing that doesn't really come out within the report is that the gap is significant when you look at the numbers of species we have and the numbers of species we track.

We're currently tracking approximately 5,000 to 6,000 species in the province of B.C. That means that with our conservation data centre we know the status of those species.

What that includes, though, is all the vertebrates and most of the vascular plants. So it includes all our birds, all our fish, all our mammals, all our reptiles, all our amphibians and most of our vascular plants — which are our trees, grasses, shrubs, things like that.

But in the province of B.C. we have an enormous number of invertebrate species — insects, molluscs, things like that — as well as a large number of nonvascular plants, which are mosses, lichens, algae, things like that. So we have done a job of prioritizing what species we are tracking. I think the job of tracking all those 50,000 species would be difficult, and that is exactly the reason why we are moving towards an ecosystem-based approach for some of those species.

D. Eby: Mr. Chair, sorry. Just to clarify. Certainly, I'm having trouble understanding here.

The Auditor General says, "Government does not know whether its actions are resulting in the conservation of biodiversity," and you're saying that you are tracking 6,000 species. The Auditor General's conclusion that you don't know whether or not your actions are conserving biodiversity — are you saying that that's incorrect? Are you disagreeing with that conclusion?

A. Dale: No, I'm not, actually. What I'm saying is that we do track the status. The Auditor is saying we're not necessarily clear whether our actions are improving or are not improving the status of those species.

We are tracking the status. We don't necessarily know all the causes and whether our actions to improve biodiversity are actually being effective. So it's a slightly different thing.

K. Corrigan: I would like to go back to the resources issue. I think David has just asked some excellent questions, similar to what I was going to ask, so I'm going to go back to the resources.

How many FTEs are there in the Ministry of Environment, or either one of the ministries, that are dedicated to tracking biodiversity, monitoring biodiversity — doing all the work that the Auditor General's report said should be done or is going to be done according to the plan?

I just want to preface this by saying I believe that the vast majority of our senior civil servants in this province are dedicated and want to do the right thing. So this is not questioning anybody's desire to do the right thing — in this case for the environment.

On the other hand, it's a question of priorities. So I guess I will ask that question, then. What is the number of people in this province that are doing this work? If you can't give me that answer today, that's fine. Even a guess would be nice.

K. Corrigan: Anywhere. Just doing the work, making sure that we do something to protect biodiversity.

B. Ralston (Chair): If you're not comfortable answering the question, then you can give us a response at a later time.

M. Zacharias: Half-FTE, all right. Well, Member, we can't give you that. Our initial back-of-the-envelope calculation is around 250 staff in both ministries all across
[ Page 91 ]
the province, but we will get those numbers to you.

K. Corrigan: And perhaps a breakdown, to some degree, of the areas of work that are done.

K. Corrigan: I wanted to reference page 12 of the Auditor General's report. I found it concerning that exhibit 1 indicates that the legislative framework protecting species at risk in B.C. covers a very small percentage, according to the conservation data centre information that was used in this report by the Auditor General. A very small percentage of species at risk are in any way legislatively protected.

That table indicates — if I'm reading it correctly, and correct me if I'm wrong — that there are 1,525 species and ecological communities at risk in B.C. that are not protected legislatively at all and then only about slightly over 300 that are listed as at risk under the Wildlife Act, the wildlife management strategy and the federal Species at Risk Act.

Given that we are coming into a time when there is great promise and plans in this province to further develop resources like LNG and other development, which is a good thing for the province but certainly will put more pressure on the land base and water rather than less, my question is: how can we possibly be protecting species at risk if legislatively we have such a small percentage of species at risk that are protected?

M. Zacharias: I want to be very clear here. The conservation data centre is tracking 1,525 species. That's a provincial tracking system that includes species of special concern. Of those, we have, again, four plus 85. The four species under the Wildlife Act are all vertebrates. The 85 species under the IWMS are vertebrates and non-vertebrates.

Also, I would like to say the Committee on the Status of Endangered Wildlife in Canada, COSEWIC…. Federally, the federal Species at Risk Act must accept COSEWIC recommendations for listing in B.C.

The 231 fall under the 1,525, so we're looking at a bit of an apples-and-oranges comparison here. The CDC tracks the 1,525 for tracking purposes. The 231 are species that we are obligated as a jurisdiction to prepare recovery strategies and action plans for.

I know that's not a great answer, but it does show that there are a number of different things going on in this chart here — that they're not all the same.

K. Corrigan: Just a follow-up on that. Okay, I didn't realize that. I thought it was an additional 1,525. But you're saying of the total 1,525, that would include the 231, the 85 and the four? Or maybe there is even overlap there.

Nevertheless, the point is that there's a very small percentage of the species at risk that are being protected legislatively.

A. Dale: If I could just add to that, I'm not sure what the percentage is here, off the top of my head, but of that 1,525 there'll be a fair number of those that are vertebrate species in B.C. — fish, reptiles, birds, amphibians. And I would like to note that the Wildlife Act does protect all native species of vertebrates in British Columbia.

There are four species at risk listed. What that does is it provides additional protection for those species' residences — not the habitat, largely, but nests, burrows, things like that, classified as a residence. However, the Wildlife Act does protect all vertebrate species in B.C. — all native vertebrate species.

L. Reimer: Thank you very much for all your work in your succinct recommendations here for the Auditor General's recommendations.

My question is with respect to partners assisting in the monitoring. I didn't hear the word "students" in there, and also our local governments, some of them, are very involved in monitoring as well. As we all know, partnerships work really well, especially where there is a lack of resources. Monitoring is very expensive, so the more partners we utilize, the more successful we'll be.

I'm just wondering if you are utilizing students for monitoring purposes and whether you're also coordinating with local governments on this.

A. Dale: The short answer is yes, as much as we possibly can. Certainly, with our Wildlife Act any research conducted on vertebrate species in B.C. requires a research permit through our permit and authorization service bureau. Those permits all require data to come in. So any student out there doing research from a university on our native species — that data comes into the system.

But as you mentioned, there are all sorts of groups out there that are doing great work, and we're really trying to capitalize on that. Again, part of the pieces that we're working on with the data submissions is the ability to capture that data, because we know there's a lot more out there than we currently have access to.

Some of that is…. It spans the range of stakeholders that we have. It's academics. It's industry. It's municipalities. It's just citizen interest. A big part of moving forward is trying to capture that data and being able to utilize it. It does involve a lot of quality assurance, quality control, and we're working on that as well.

L. Reimer: Great. The other question I had was with respect to Australia and New Zealand. You're looking at them for best practices. Is that right?
[ Page 92 ]

A. Dale: Yes. They have an approach that they've piloted in Australia and New Zealand. It's looking at how jurisdictions across the globe, essentially, have managed for species at risk. In the past that has been a species-by-species approach, which, as you might imagine, is very labour- and resource-intensive. What they're doing now is they're looking at assessing the major threats to any particular species.

As was mentioned in the Auditor General's report, habitat loss and fragmentation is a major threat for species at risk or just biodiversity in general. Another one is invasive species. Their approach is within an area to look at and to mitigate those threats and those risks, as opposed to just dealing with a species-by-species approach. It will be very much more an ecosystem-based or an area-based approach.

S. Gibson: I guess I would like to ask a little bit about the veracity of the data, because I know that you're doing a good job. An anecdotal story to begin. My wife and I have relatives in California. They live between L.A. and San Diego, and there was a forest fire there. This is an urbanized area. All of a sudden, tons and tons of these pumas, which we call cougar, came out of the mountains, and the California wildlife people were saying: "We didn't even know they were there."

Now, where I live, about an hour east of here on a good day, we've got bobcats and cougars. I've seen them on the trails, right? At least, my wife has seen cougar. My question is: okay, do we really know what our inventory is? I know we see these figures, and I'm not questioning your authority or expertise. But for example, brown bears…. A friend of mine is a conservation officer. They released one at the Coquihalla, where the tollbooth used to be, and they found it in Mount Vernon, Washington. So these are wanderers.

I value wildlife myself. I'm a big supporter of wildlife personally. I think it's an important part of our whole social fabric as a province. But how do we really know…? I'm questioning, not critically but maybe just anecdotally, the veracity…. How many bears do we have in the province? We've got, for example, the Vancouver Island marmot, the Vancouver Island wolf. These are endangered species, which we treasure, but do we really know how many we have?

It's more to do with the data, because I think this is a very important report, and I applaud the efforts to get to the bottom of it. That's my question.

A. Dale: I'll take a crack at the first part, and then I'll hand it over to Tom. I agree. One of the key actions coming out of our conservation framework…. It identifies and prioritizes species, but it also puts those species into bins in terms of the best action for any given species. One of those bins that we categorize is inventory. What we've found and what other jurisdictions have found is that often species are on lists because there simply isn't enough information out there, and once we get out and actually do that inventory, things tend to come off lists. So I totally agree.

With any particular species, it's highly varied in the province. As I mentioned, we've sort of prioritized vertebrates and vascular plants, and we have a lot less information on things like molluscs and invertebrates in general. I'll pass it over to Tom for some specifics here.

T. Ethier: I don't have much to add; I think Alec has covered that. What I will try to convey is…. There are some species that we do think we have an understanding of, and we actually do have pretty good population estimates and tight confidence intervals around just what they are.

Then there are some species, some subspecies, some subpopulations that do give us a lot of difficulty. It's as you sort of move down the spectrum from abundance to rarity, when we're starting to get those rare species and spotty distributions, that our information reflects that.

It also becomes much more expensive for us to track that information, and it's at that part of the inventory quadrant that we really need species experts. We need to sort of think really creatively about how we're going to acquire that information.

It's somewhat dangerous here around putting any words in the Auditor's mouth, but I've read this comment around the government not understanding biodiversities. I think that they're talking about biodiversity in terms of the definition of overall diversity of the species and their distribution in the province. But they're not saying that every species — that we are deficient in our understanding of trends or abundance and that.

B. Ralston (Chair): Does the Auditor General want to respond to that suggestion?

A. Todosichuk: I might as well point it out. One of the gaps that we did find — the significant gaps, as Alec was saying — was around non-vascular plant species and invertebrates. So again, agreeing with Tom, there is information. But around certain species and types of species, that's where we found the significant gaps existed.

B. Ralston (Chair): So you're essentially agreeing with his suggestion. Is that what you're saying? Or not? I mean, I don't want to…. I just want it to be clear. That's all.

M. Sydor: That's right. I think what Ardice had indicated is that for a number of species there's probably better information than for areas that we haven't prioritized as much. As was indicated, there are 50,000 species in B.C., so we have to look at that. We have to look at the resources we have and say: "What are our priorities in
[ Page 93 ]
terms of trying to maintain biodiversities?"

Again, what the government is suggesting it's doing is moving away from focusing on individual species and saying we need 1,000 recovery plans. It's saying what we need to do is make sure that we've got the right ecosystems and that we're making sure that whatever activities are carried out, the ecosystems are still able to maintain their functions and still serve as viable habitats.

So it's kind of two different approaches: focusing on individual species and trying to do it that way or moving to a broader basis and looking at the landscape and seeing whether the landscape, overall, is healthy for the species that live on it now.

L. Throness: Just a few questions here. I had a question, too, about how we know that our biodiversity is declining. I understand that you're tracking a number of species and can probably tell by your tracking information.

How much is it declining? Is it a precipitous decline? Is it a slow decline — pointing out, as it said in the report, that it's a global phenomenon? Can you talk about that for a moment? Like, is this a panic? Is this a red flag?

A. Dale: It's certainly a red flag. We did note that we have a new indicator for vertebrate species in B.C. and their status and how that looks as trends. For some of them, some groups of species, it doesn't look good. Things like insectivorous birds right now are in decline across North America — South America as well. Other things are coming back — marine mammals, for one. Whales, for instance, are doing much better than they have in the past.

So it is very much a here, there, everywhere. Some species are doing better; some are doing worse. In general, trends are declining, which I think relates to the threats against biodiversity, which are habitat loss, invasive species, human population growth, resource use. It's a big challenge. It really depends on what you're interested in and whether it's doing better or worse.

L. Throness: We have an issue in my riding, a longstanding issue with the Salish sucker, which is a fish that lives in the drainage ditches of farmers. Farmers are not allowed to drain their fields, so there's a real cohabitation problem of humans with these endangered species. Is it possible to teach people to cohabit with the environment, or do we have to vacate the environment?

A. Dale: I think it's entirely possible. There are many examples of species at risk within B.C. in general. I saw a presentation from one of my staff members last week dealing with badgers, which are a species at risk in British Columbia, and ranchers. They've done a lot of work, a lot of engagement and a lot of outreach with ranchers across the province.

The uptake in that is great. We now have ranchers that are putting their hands up to have badgers released on their property because they see the benefit that it can actually bring for things like pocket gophers or ground squirrels — so moving from the thought of badgers being a pest on their land to one that removes pests, actually. There are numerous examples of that across B.C.

One of the things we mentioned in our response was the work we're doing with UBCM, the Union of B.C. Municipalities. We do have the species-at-risk working group there, and we're looking at incentives and stewardship options for private land owners across the province, which is going very well. That committee under UBCM has, I think, at least 50 members on it.

L. Throness: Well, please put the Salish sucker on that list. We would appreciate that very much.

Is it possible that observational technology — it's far more sensitive than it has been in the past — can be used to a greater extent in determining and monitoring populations and things like that? How are you using new technologies such as satellite technology?

M. Zacharias: We're using quite a bit of it right now. I think the broadest application would be on caribou recovery. We have caribou collared with GPS collars. They have mortality signals. If the collar doesn't move for several hours, then we can go out and investigate.

I think a lot of other technologies are starting to become smaller so that we can look at animals. We have, basically, flash traps for a lot of animals so we can see at road crossings whether they're captured. We have cameras that are wireless and now attached to cellular. They're installed in culverts. I think there's one on the Sea to Sky Highway now. You can actually go onto the Ministry of Transportation website and look at the screen captures of what's coming through.

The technology is there. We also have technology coming from the other sides, in DNA bar-coding. We have hair traps now. It's very simple. You get a hair sample. It can be analyzed very quickly to figure out species, subspecies, population, gender, condition.

We've been using a lot of technology for a number of years now, looking at…. You can find animal scat, right? You can look at kind of the stress level of the animal through some of its steroid composition.

So a lot of it we're using, quite a bit of it. I would say the most opportunities for the future are again our GPS technology and molecular genetic techniques.

L. Throness: My final question: is the decline in biodiversity reversible, in your view?

Again, it depends on the length of your view. In the short term we have a number of species that we know we
[ Page 94 ]
can do good things for. We don't necessarily have white-nose syndrome for bat declines that other provinces have. We know it's probably on its way to B.C., and we know we can do certain things. We can research it. We can ask cavers to make sure you wash your gear before you switch caves so as not to spread.

We have a species that breeding birds…. You people can create nest boxes, right? So very, very simple, low-tech things we can do.

We also have industries, quite frankly, that are going to be a large footprint on the land base for several decades, and then that footprint is going to go away. Natural gas exploration in the northeast is going to have a fair footprint and does have a footprint on the land base, but 80 to 100 years from now that footprint will start growing back. There are other parts of the province where it won't. Urbanization is fairly much permanent.

It's a huge question. It depends who you ask, and it depends what your time frames are.

B. Ralston (Chair): It's now three o'clock. We've been at it for two hours. I'm going to suggest we take about a seven-minute break, and then we'll continue.

G. Kyllo: The question is: is this the first comprehensive audit that's been completed on biodiversity in B.C.? Is this the first time that audit's been completed?

R. Jones: I guess it gets to how we pick all of our performance audits. We take a look at the various issues around the province and ones that we think are significant for the people of the province to know about and for legislators to know about as well. We risk-rank it, take a look at whether we have the available resources to do it and the skills. And we try and pick environmental issues, as well, as areas to look at, so it came sort of up to the top.

G. Kyllo: Great. Yeah, it's an important first step, and you guys have identified your initial six-point action plan. I think it's very important that we focus on protecting the habitat. It's a lot easier to protect the habitat than to focus on specific species. My brother worked with Conservation International in the United States for about eight or nine years, and that was their focus. Rather than focus on protecting the species, they focused on protecting the habitat. I think that's definitely an important first step.

One concern I really have as far as protecting the habitat and the impact on the species is ensuring that we don't have the invasive species coming in. I'm from the Shuswap riding, and we've got real concerns about the potential or pending problem with zebra mussels. I'm just wondering if you could maybe just allude a little bit to what efforts you're undertaking on both education and identification, preventing those invasive species, because those can have a disastrous impact on other populations.

A. Dale: Sure. The second-largest threat to biodiversity is invasive species. Certainly, the threat of zebra mussels is one we're taking very seriously. We recently added zebra mussels — and quagga mussels, which are a closely related species — to our controlled alien species regulation under the Wildlife Act. What that does is it allows the conservation officers to stop a boat if it has zebra mussels on it and have it decontaminated.

We've worked with the Invasive Species Council of British Columbia, very closely with them, working on rapid response protocols. So if there is a boat that's identified at the border, we can find out about that quickly and have our conservation officers go in. They now have the powers to confiscate a boat and have that done to it.

That's just one of them. Folks might remember the snakehead in Burnaby Lake. Snakeheads are another one that we've put on our list of things that you can't own. You can't possess them, you can't breed them, and you can't transport them.

We're also working very closely with the federal government. One of the big issues for invasive species is the species that come across the border. So we're trying to work with them to figure out ways of having a list of species that can or can't be imported into the country. That's a bit more of a challenge, because there are all sorts of reasons why things do come across the border. But we're trying to work with them to address that issue as well.

G. Kyllo: And one follow-up, I guess. How do you feel your budget is, as far as the educational piece? Education, obviously, is going to be a fairly important portion of ensuring that we identify those invasive species when they do arrive in B.C.

A. Dale: Yeah, a big part of it is education. As I mentioned, in terms of government's educational outreach aspect, it's our staff that are really the ambassadors of that type of thing. They were working very closely with, as I mentioned, the Invasive Species Council of B.C. They've put out a lot of stuff that we worked with them to put out. So we're really capitalizing on the opportunities that are there.
[ Page 95 ]

G. Kyllo: There's one great program. There's a big billboard in our riding that says: "Don't move a mussel." It's brilliant.

M. Morris: Biodiversity is a big file. I certainly don't envy you guys from time to time with some of the pressures and problems and whatnot that you do face in executing your file. There have been a lot of changes. I don't think this province has probably ever experienced the impact and the pressures on biodiversity with the pine beetle epidemic that we've had and the resource development that has taken place throughout the province. And it's only going to increase in time.

You mentioned earlier on that you were looking for partners for biodiversity monitoring and whatnot. There's an abundance of partnerships out there, if they're explored. Of course, we've talked about it before at the B.C. Trappers Association, the Guide Outfitters Association. There are a number of guides and outfitters out there — hunters, fisherpersons, adventure hikers and whatnot that we have over there. I don't think we — the collective "we" of this province — utilize them to the extent that we should. I think there's a whole ton of valuable information that we can garner from those sources, because they're out there all the time.

The second part of the question I have is looking at the impact of the pine beetle — particularly in the Interior, up in my neck of the woods — and the extent of logging and other resource development associated with that. Has your ministry repurposed resources to address those pressures that we have up in the Interior?

T. Ethier: The short answer is yes. It is a great focus of inventory and monitoring efforts across the range of species that occur throughout the mountain pine beetle epidemic. Maybe I'll just stop there, but there is a big response going on, looking at the effectiveness of the habitat that we have currently now. What do we need to do differently? How can we secure a healthy forest in the future? There is a quite a strategy in place to try to respond to that issue from multiple points of view, including biodiversity.

V. Huntington: I have to say that it's not too much a secret to members who've heard me speak over the last few years that this issue is one of the great issues that we've got in the province, from my perspective. Unfortunately, it's such a large….

Let me step back. I think the report is an excellent baseline on this, and it indicates the enormity of the problem. Even coming to grips with the problem is difficult. Even around this table we tend to go into the little details, the minutiae.

When you talk about minutiae, it all seems okay, but when you look at the broad picture, we have some serious problems in the province, and we have ministries that are having trouble coping with the issue. I mean, I think that's fair to say. You're trying hard, and you're doing a good job on what you can do.

When I was looking at this, I spent a fair amount of time looking at the responses of government to the recommendation. I am concerned with the subtle shift of language that's going on. It does show the shift in priorities the government does have. I'm not arguing with the priorities. But it does show that when you redefine "the environment" and it becomes coordinated natural resource sector and part of the process you're undertaking is to explore new ways of mitigating the effects of development on our environmental values, then you begin to see where the priority is.

Take as an example where you admit that the B.C. northeast has become a priority of the two ministries in terms of determining ecosystem biodiversity. Do you find that you're struggling with the two requirements — i.e., natural resource development versus the protection of ecosystem values? How are you balancing those within the two ministries? In other words, I think one of your ministries is in conflict.

The example maybe I can start with trying to respond to is how we have, as government, tried to sustain forestry — both timber objectives and all the other objectives that we manage through forestry, through the Forest and Range Practices Act — by setting objectives, by establishing wildlife habitat areas or ungulate winter ranges underneath that piece of legislation, and using those objectives to help guide what the chief forester will determine for a harvest level for the next five to ten years.

It's an explicit scheme to try to identify the objectives that we are managing for, including the economic objectives, the social objectives and the environmental objectives. I guess it is always going to be a debatable point — if it should be all in one legislation like that or if it should be somewhere else. But this is what….

V. Huntington: That aside…. Keep talking. I'm sorry. I shouldn't have brought in the ministry issue.

T. Ethier: I do think that that's a fundamental challenge for us in government, to make decisions around what will be proceeding in terms of economic development. But in every one of these decisions within this sector, the way we read it, the way we write it is that we think that we've got all of the competing ministries now together thinking about environmental values as they proceed to make decisions.

It has shifted the kind of conversation that happens within government. It's more seen as an ethic that goes
[ Page 96 ]
through what we call the sector. I don't know if that answers it.

V. Huntington: Do you see a possibility of environmental values…? I could say: do you think the areas, for instance, that you've conserved as the forests have been developed or…? Do you feel that they're successful? Do you feel that the natural resource development will subsume areas of biodiversity? I think it is, in some areas. Do you think you can catch up to it, say in the northeast sector? All you have to do is fly over parts of it and realize, holy cow.

With no cumulative impact assessment and a desire to control the levels of development, how can you preserve biodiversity with what is happening there? Can you get on top of this issue fast enough? If the northeast is your priority at this moment, can you get on top of the issue fast enough to preserve biodiversity up there? Do you have the authority inherent in your legislation?

M. Zacharias: Member, your first question is: how do we struggle with the balance between environmental protection and natural resource development? If I understand your question, that's kind of where it's coming from.

From a biodiversity perspective, we live in a province that is disturbance-rich. Most of our province is…. We burn down. We have fires. We have floods. We have, basically, a natural ecosystem that is generally fairly resilient. Where we have troubles is we do have what we call bite-me species in B.C. Those are generally old-growth obligates — the spotted owls of the world — or species that are at the southern edge of the range or northern edge of the range — caribou on the southern edge of the range and some other species in the Okanagan at the northern edge. Those are the ones where we spend disproportionate amounts of time and energy looking after them, as it were.

So if you're question is, "Can you have your cake and eat it," you can for much of the province, because a lot of our wildlife and biota can coexist with industry and development in a human settlement.

We have spent quite a bit of time over the last…. Since 2007 we've put a million hectares of protections in just for caribou and spotted owl — just those two species in B.C. That is going to be a challenge going forward.

On the northeast development piece, the answer to your question is: I don't know yet, because we don't know what the scope and scale of development is going to be on that piece. We are preparing. We've just put 500,000 hectares aside on resource review areas in northeast B.C. for boreal caribou, and we'll review those to see whether they're working as well.

We will continue to kind of look at coastal forest industry and species. Those are the bite-me species. But there is a way to have a balance there, and I think Tom alluded to the fact that we are aligning for the first time ever. A lot of our decisions in government were made in silos and independent of each other. Now we have a way… A forestry decision actually crosses over, and you have somebody with knowledge of biodiversity and a biologist look at it and kind of go: "Yes, we can live with that" or "No, we can't."

If I take a look at how an approach to an ecosystem might work…. Maybe I can ask that. When you look at…. I'm going to be very specific. I'm going to talk about Delta.

Delta is Canada's most important bird area — Ramsar-designated site, Boundary Bay wildlife management area, Sturgeon Bank wildlife management area, Roberts Bank wildlife management area, Burns Bog conservancy area, Alaksen national wildlife refuge, Reifel bird sanctuary. I mean, there are very few communities, especially in an urban environment, that have that level of importance to wildlife.

Yet when you designate something a wildlife management area, how are you then monitoring the value of and the continual disappearance of habitat which specifically supports the wildlife management area and the wildlife on it? Is anybody looking at the fact that the habitat is declining so rapidly in Delta that you're going to have problems in a few years supporting them? Yet, you've just basically initiated wildlife management areas around the Deltaport, of course.

How are you managing these areas and the recognition that these are important? How are you protecting the value of the habitat? Do you even know what habitats are required in a case like the wildlife management area in Delta?

M. Zacharias: Member, you've picked a very challenging example in your riding. For the most part, I don't think any of us can answer the question specific to your riding, because the birds, particularly the species you're talking about, are part of the Migratory Birds Act, so they're federally managed.

M. Zacharias: But if I can take another species in another part of the province that is on Crown lands, I'd be happy to sort of have a look at that question.

Your question is, if I have this correctly: how do we know whether the habitat that's been identified is protective, and then how do we know whether it's doing
[ Page 97 ]
what it's supposed to be doing? Have I captured you correctly there?

V. Huntington: In essence, I'd like to know if you've identified the habitat necessary to support the wildlife management area. And are you attempting to protect it? That's sort of a different way of looking at the question.

M. Zacharias: The answer to that would be depending on the species. We have very sophisticated habitat models for a lot of our vertebrates, and we apply those. We go and we test them in the field, and we have students at post-secondary institutions working on those. We have very sophisticated habitat models for species such as caribou, which are not just about habitat, but we have predation built into the model. We have forest growth built into the model. We have the amount of time and radius that a cougar would spend searching. So there's a predator component built into the model.

So we have that for some; we don't have it for all. I can't give you an answer around migratory birds in your riding.

V. Huntington: Does the province then sit and watch a wildlife management area wither because it can't do anything about habitat preservation? Do you stand by and watch that happen? How do you move in and protect your own wildlife management area anywhere in the province?

M. Zacharias: Anywhere in the province if there's something contravening the intent and purpose of the wildlife management area…. It is a creature of statutes, so it's a legal designation, and we have all of the enforcement powers to go in and redress or mitigate for that threat. The tools are there — the legal and tools are there. We do have the conservation officer service, and that's their job — to help out with that. We also have the compliance and enforcement part of FLNRO. It also does just that as well.

B. Ralston (Chair): I'm going to intervene. I think I've been pretty generous in terms of questions.

V. Huntington: Have you identified the gaps in those opportunities to protect, just as the report suggests?

T. Ethier: Wildlife management areas are a tool under the Wildlife Act. They are built usually through recommendations and stakeholder meetings. We consult deeply on them, trying to identify what the objectives of a wildlife management area are going to be. Cabinet reviews them, signs off on them, and then they get established.

Now, usually those plans then become direction to the regional manager to ensure that the values that the cabinet has identified as being protected would be looked after through time. Sometimes wildlife management areas get lost in the shuffle of priorities, and we catch up to them later.

In terms of funding for them, we usually access through the Habitat Conservation Trust Foundation to support the management activities on wildlife management areas. There's often a plan associated with wildlife management areas, in addition to the one that's actually approved by cabinet, that sort of sets out what sort of activities we're going to do over the next five years. That's typically done through the regional office.

Your point, though, is a good one — around some of the wildlife management areas when they were chosen. The sort of landscape that they're now sitting in is different than when they were first established, and they may not be as effective as they were first envisioned. But the argument to that is: what would it look like if these weren't there, in terms of biodiversity conservation?

B. Ralston (Chair): I let the member go on a little bit longer because I know of her particular interest in this area. But I'm going to ask members…. Just let me recite the list here. I've got Selina Robinson, Marc Dalton and then, for the second time, Heyman, Letnick and Corrigan.

S. Robinson: I have questions about the actual recommendations and the response to the recommendations. My first question is to the Auditor General around recommendation 1. It talks about making a long-term commitment. What did the Auditor General have in mind when it said "long term"? What does that mean?

A. Todosichuk: One of the things that we found in our report was that one of the barriers to success in achieving information was the degree of sporadic funding that the ministry was having. That was why we were looking at long-term commitment. You need to see trends in how species are doing, and that was one of the other things that we weren't seeing. There was a lot of information about trends on how one species was doing over another species. So that's why we've asked for long-term.

S. Robinson: A follow-up to that. Based on the response, do you think that there is a long-term commitment, or do you think that's something that's still lacking?

M. Sydor: I think that as the people from the ministry indicated, they're acting on each of the recommen-
[ Page 98 ]
dations. They have indicated that they will take some time. I think what we've seen when we look at some of the areas where we've tried to prop up biodiversity…. I think of grizzly bears. Again, grizzlies keep popping up during this discussion.

The province and Washington State have had a Cascades grizzly strategy in place for many years, but in terms of the population, it probably hasn't actually expanded that much. I mean, you have some species that don't reproduce at a great rate. They reproduce infrequently and have a very small number of offspring.

So in terms of the long-term thinking that we're talking about, it's maintaining a consistent approach. So if we have a conservation framework in place, do we keep that in place long enough that we're starting to see some impacts?

I think one of the areas we've pointed out is that there isn't much information about whether the activities that have been undertaken have actually been effective. It actually mirrors one of the findings that we made when we looked at the environmental assessment office.

We put a lot of mitigation efforts into those major projects, but nobody was actually going out and seeing, firstly, whether all of the mitigating efforts that were required were actually being put in place. But then, more importantly, were they having the effect intended? You can do all the work, but at the end of the day, the species you're trying to protect actually diminishes.

The long term has a couple of components. Ard has talked about maintaining a focus on it, having the long-term strategy, making sure that there's a consistent approach in terms of resources applied. I think that reflects the fact that for a lot of these initiatives, they will take a lot of time to see fruit.

S. Robinson: That brings me, actually, to some of the language used in some of the responses by the ministry. I want to make sure I understand clearly recommendation 1, that the ministry is committed to "develop options to secure long-term funding." I have a question for clarification. Is that to develop options, or is that to actually secure long-term funding? Those are two different things to me, and I just want to get some clarity.

The second bullet, "Develop options to secure long-term funding." So you can develop options, and then you secure funding. I want to know which it is that you're planning to do.

S. Robinson: That's great. I was hopeful that that would be the case. That brings me to some of the other….

There are some other, I guess, language commitments that I want to get clarity on, things like "initiate reviews." Initiating reviews by 2017 — is that the same thing as completing the review, or is that just initiating the review? There are a few others similar to that that I would appreciate getting some better clarity on.

M. Sydor: That's something that we will keep in mind when we do our follow-up. I mean, one of the issues we have had in the past is that occasionally our recommendations are maybe not looked at by the auditee in the same way we do. As Russ indicated earlier, there will be a discussion with the committee to see what our approach should be.

At a minimum, if we continue on with what we've been doing, we will be asking the ministry to provide a self-assessment, and we'd be looking at that for reasonableness.

I think you're right. The response you got is the one that we would have expected. The minister is actually looking for more than options. The first step is to identify options, but then, obviously, we want to seek that funding and make sure it's in place to carry out the work required.

A. Dale: I'll just quickly add to that. The instance that was raised before about 2017 is a bit of a wording issue, I think, as opposed to a commitment issue. It does say that starting in 2013 we'll start looking at this. It does take a while for the legislative options to work through the process, but our hope is that we will know what we're doing by 2017.

M. Dalton: I want to concur with your earlier comment about species populations expanding or decreasing. I represent Maple Ridge–Mission, and I know that we're getting elk for the first time in Maple Ridge. I know that the grizzly bears are starting to encroach, moving down south. Some are up in the upper reaches of Pitt Lake.

One issue that we faced in Mission, in particular, was with the Oregon snail. They discovered — I don't know — a dozen or so on this land that was going to be developed for a very significant project, probably $100 million worth and looking at probably about 100 or more jobs — very important for taxation revenue for the entire community. It got basically held up with the Oregon snail. The Oregon snail is on the northern…. It's not endangered as far as a species, but we were on the northern range.

For years the project was held up. I think for each snail, moving it to Sumas Mountain…. The cost to the whole project was tens of thousands for each snail. The fellow went bankrupt, and the project never went forward, to the detriment of the community. It is a concern.
[ Page 99 ]

Something else that was found is that the Oregon snail is actually…. They're finding more and more populations around. So with the legislation on endangered species, perhaps not act when the science…. Perhaps there are a lot more than people realize as far as the snails and just the impact. I know it's a balance, but it is a real concern.

An earlier comment was that 37 percent of our land base is already protected to one level or another. I know that Vicki has mentioned one side of things. I know, representing my riding and the area, that it is a real concern. So if you can maybe address some of those comments, I'd appreciate it.

M. Zacharias: That's a very illustrative example of some of the issues. A couple of comments on that. One is that it does demonstrate that species at risk are taken seriously, and Oregon snail has been an issue in the Fraser Valley for many, many years. That would be my first comment.

The second one is that we do have the conservation framework, which looks at the global responsibility of B.C. as a jurisdiction for the management of a lot of these edge-range species. These are the ones that come across into B.C. from more southern jurisdictions. We do have certain birds that'll come two weeks across the border in the winter every several years, and then they'll go back. So we do have kind of a way and a method and prioritize on that piece.

The third piece that impacts particularly the Oregon snail and the other species named Oregon in the Fraser Valley is that we do have the mitigation offsetting policy now, which I believe has now been used for Oregon snail in looking at what other alternative habitats can either be remediated, secured or somehow preserved such that there is sufficient habitat for the snails.

It has been a very difficult one for governments — local government, provincial government and the federal government — on this piece. But I think what we do now…. We've got a number of tools that we didn't have a number of years ago to address these types of species.

G. Heyman: I want to go back to the issue I raised earlier about resources for monitoring. I think we all know that when there is adequate resource within any funded agency or public body or government ministry, there are a set of standards and controls around how the monitoring is carried out, what the criteria are, what the procedures are.

I mean, having participated in some citizen science monitoring on a couple of occasions, it struck me at the end of each process that I had no idea where the data that I helped collect was actually going or whether I and people in my cohort were collecting in a fairly consistent manner — because we weren't receiving a lot of training — or if data that we were collecting was being collected in a manner consistent with that being done by other cohorts.

My question is: with respect to the ministry, what measures, if you're increasingly relying on citizen science, do you have or are you contemplating putting in place to ensure that there is some uniformity and reliability of data?

The province, for almost two decades now, has used something called resources inventory standards committee. For all of the values that we monitor, we have kind of very prescriptive standards around how things are collected, where they're collected and what happens to the data and how the data are to be submitted. Those are in use.

It's a very good point — to what extent those standards are actually propagating out to some of these volunteer groups that are using them. I know DFO had the same issue a number of years ago around some of their streamkeepers work.

We are looking at, and I think that was on recommendation 1, better policies to figure out what we do with data that comes in the door — how we run it through QA-QC, and how we get it into the data warehouse where it's available to inform decision-making. We can probably follow up with you on that, around what exists and where.

A. Dale: Again, just quickly, when we look at the citizen science type of data, we're largely looking at that for what we term as inventory. It's largely presence-absence type of work. If we're looking at effectiveness monitoring or compliance monitoring, that type of thing, we very much rely more on the standards that we have developed internally to make sure that that data is collected in an appropriate manner and that it's handled in an appropriate manner.

So there is a variation in terms of what that data gets used for, in terms of how rigorous our standards are.

G. Heyman: One more quick question. With respect to all of the work that you're doing to fill the gaps that were identified in understanding biodiversity, monitoring biodiversity, putting in place measures to protect biodiversity, in any part of that work or in any other way is either ministry contemplating or is the Auditor General contemplating a future audit doing any work at all on the cost of lost economic opportunity or lost ecosystem services — to actually quantify it — that would or could result from inadequate protection?

A. Dale: I guess I can talk a little bit about that. I mean, there is some work going on looking at ecosystem ser-
[ Page 100 ]
vices and the costs and opportunity losses associated with that. It's a big challenge to sort of monetize and categorize ecosystem services.

Some of the numbers involved are almost in the realm of abstract. But there is a lot of work going on. There's work going on with the federal government that we're working with them on right now — sort of value-of-nature pieces that they're working on. Another piece that we are working on is looking at cumulative effects and what those impacts are and, looking at a more long-term larger area, what those impacts mean in terms of not just the environmental impacts but also the socioeconomic impacts.

R. Jones: I guess from our standpoint one of the areas that we are currently developing an audit around is cumulative effects in the province. That might get at some of this.

K. Corrigan: I have some concerns about the changing approach and the "one land base, one land manager" approach, which seeks to balance interests in an area — social, environmental and economic values. And I understand that the whole world of government is about balancing values. But previously we had in existence a number of tools that were quite concrete.

For example, the fisheries-sensitive watersheds designation. The report says that there hasn't been any new designation since 2007 and "without designation of these areas, significant fish habitats may be declining." Then on the next page it says: "Temperature-sensitive streams. Government hasn't finalized its procedures for designating temperature-sensitive streams. As a result, it has yet to establish any of these designations, leaving some fish habitat at risk."

Then further down that page under recommendation 4 on the discussion about monitoring, it was expected that government would be monitoring the effectiveness of its wildlife habitat areas, ungulate winter range and fisheries-sensitive watersheds and that only a limited amount was being done.

Although these tools have been used a limited amount — it is apparent that that's what the report says — at least they were tools that were concrete. I'm wondering whether there's any shared concern about whether or not — as we seem to be moving away from the use of concrete tools that would put very stringent or somewhat stringent mechanisms in place — as we move to more a "one land base, one land manager" approach, we somewhat endanger some of those mechanisms that would have been more proscriptive.

T. Ethier: I don't have an answer for why we haven't been establishing fisheries-sensitive watersheds or temperature-sensitive streams in the last few years.

I don't know if it's a science issue, if it's an information issue or if things are just working their way through the system. I understand that they are a bit more complicated than establishing sort of a wildlife habitat area around a known nest site. There may be something in terms of the methodology around how that's working its way through the system.

Those tools, though, are still in place. They haven't been diminished in terms of the one land manager. Those are still tools that we have, legislatively, at our disposal to use and to bring into effect. I don't see the shift, in terms of how government is organized, affecting these legislative tools at all. There has been no decree at all to say: "Don't pursue these." It could be tied more to the level of science that we've got. Or, potentially, there is a much more in-depth consultation that's going on around them.

I'm sorry. I can get back to you, though, on why things haven't moved on. It was a question I've had, as well.

B. Ralston (Chair): Any response like that should come back through the committee, so all members can share in the response. But I'm sure you know that.

K. Corrigan: Yeah, I mean, maybe the Auditor General's office would be interested. I just fear that if the economic value of something is seen as having a great deal of potential and the economic values are strong, does that mean that it would outweigh, then, the environmental values, and areas that perhaps could have had a designation — and that's just one example — would then sort of be thrown underneath the bus?

Of course we have to develop our province. But I do think, obviously, we want to maintain the ability to protect biodiversity. I'm not sure whether the Auditor General's office has any comment on this as well?

M. Sydor: Well, I think part of the issue comes back to capacity to deal with everything that has to be dealt with. Ardice just pointed out that, in fact, government had identified about 150 of these fish-sensitive watersheds that should be examined to see whether they need to be brought into that fold — just a matter of getting around and looking at them and making decisions. Again, the question comes back to capacity.

I think we have the same information with regard to wildlife habitat areas. There are a number that have been established. The ministry reports on them. But there are a number, as well, that have been identified that haven't
[ Page 101 ]
been through that assessment process to see whether we should add them to the group.

It's not that the tools are going to be dropped in favour of an ecosystem-based approach. These are part of the tools that provide protection within that eco-based system by identifying specific areas that need added protection.

A. Dale: I'll just add to it a bit, maybe from a little closer to the on-the-ground perspective. Just in terms of the tools and how things happen now — the sort of "one land base, one land manager" approach…. In the past, MOE might have been responsible for these. It was always a competition and a negotiation and a fight to get things in place when you have agencies that look at specific mandates and that's it.

Personally, I find that a lot of this stuff is working a lot better now — especially in the regions, where you have people looking at all of these values and really being responsible for them. From my perspective, it's actually improving, and I think the shift is actually one of the things that is going to allow us to better conserve for biodiversity, moving forward. I truly believe that.

D. Eby: I just wanted to note a couple of comments from some of the government members about, first, the sucker fish and then the Oregonian snail story.

I had a quick look into the Oregonian snail story. This is a story of a developer that tried very hard to accommodate the Department of Fisheries and Oceans with fish habitat and so on. It took almost three years for them to issue the approval. It was an issue of gross incompetence of the Department of Fisheries and not an issue of misplaced priorities. In fact, I suspect that if this developer were approached and said, "Look, all you need to do is preserve this wetland corner of the property," they would have been very pleased to do that. In fact, it may have been a marketing advantage for them.

I think that what we need to avoid doing is creating an environment in which — no pun intended — all our parties can agree that we do not have to pit the environment against the economy, that all of us are in favour of developments that benefit Mission in terms of this very significant development, that no one is in favour of it taking 546 days for this guy to get approval from the feds and, in fact, that our Ministry of Environment should be available to developers to approach and say: "Look, I'm doing this. How can I preserve the ecosystem and the biodiversity and incorporate that into what I'm trying to do?"

I wonder whether the Ministry of Environment can advise whether they have the capacity to answer questions from developers who are interested in incorporating biodiversity into their developments — whether they're able to assist in that manner or not currently.

A. Dale: We have some capacity for that — probably not up to the needs, if it became apparent that there was some assistance there. But I think what we can offer, as Mark had mentioned earlier, is our environmental mitigation policy. It lays out exactly that: how you can go through the mitigation process, which involves, first off, avoiding impacts; restoring, if you have impacted; and finally, all the way down to potentially offsetting habitats or maybe even financial offsetting.

What we've done with that policy…. This is business that government and the ministries have engaged in, in the past, but not in a coordinated fashion. So what the policy does is that it outlines the steps and the framework for doing that in a very coordinated fashion so there is consistency across the province and so that developers or industry or whoever it is knows what to expect.

B. Ralston (Chair): Really? Okay. Here I thought I was being generous. That's okay. We'll move on.

I think that completes our questions. We're very near the time that we had agreed to adjourn. What I would like to do, similarly with the previous one, is to adjourn debate, and then the vice-Chair and I will have some discussions about how to deal with the recommendations. I think most of the response from the ministry has been responding to the recommendations, but I think I want to have that opportunity.

L. Reimer: Are we going to be doing this for each of the reports and then discussing everything at the end? How is that going to work?

B. Ralston (Chair): Well, I think what I want to do with the vice-Chair and the Auditor General is just to confirm that there's agreement that that's the way we'll go forward. I think the recommendations, in my view, are relatively uncontroversial, but I want to confirm and have the opportunity to discuss that with Sam. So before we do that….

I don't know whether we will need to debate each set of recommendations individually or whether, given that we're familiar with them and we've debated them, there
[ Page 102 ]
will be general consensus. That's my aspiration in any event, and we'll see whether that comes to pass.

L. Reimer: Is that a question that is determined between you and the Deputy Chair? Or is that not something that the committee should be discussing?

B. Ralston (Chair): Well, the first point of contact for me, in order to manage and direct the committee, is to speak with the Deputy Chair. Then, depending on where we are, we would bring it to the committee. But as a courtesy and as a priority, I check with him first.

K. Ryan-Lloyd (Deputy Clerk and Clerk of Committees): Good afternoon, Members. I wanted to let you know that we have prepared similar binders such as those that you used throughout the proceedings today. We have binders available here in the room for Tuesday, Wednesday and Thursday proceedings.

Should you wish to pick up a copy this evening, we can certainly provide that to you. We encourage you to bring them, as well, to the meetings that follow, because we don't have that many extra copies of them. It would be very helpful if you did bring them back tomorrow.

If there are any materials that you don't need now that we can recycle, bring them back to Victoria. We'd be happy to do that.

I also wanted to briefly draw your attention to a letter that we forwarded to your attention earlier today from the B.C. School Trustees Association. This relates to the school board governance audit that you'll be reviewing on Thursday.

It's a letter on behalf of the president of that association outlining some of the services that the B.C. School Trustees Association provides to support trustees with their responsibilities in conjunction with that report. The association is not appearing as a witness but wanted to share that information with you.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	* Bruce Ralston (Surrey-Whalley NDP)
Deputy Chair:	* Sam Sullivan (Vancouver–False Creek BC Liberal)
Members:	* Kathy Corrigan (Burnaby–Deer Lake NDP)
	* Marc Dalton (Maple Ridge–Mission BC Liberal)
	* David Eby (Vancouver–Point Grey NDP)
	* Simon Gibson (Abbotsford-Mission BC Liberal)
	* George Heyman (Vancouver-Fairview NDP)
	* Vicki Huntington (Delta South Ind.)
	* Greg Kyllo (Shuswap BC Liberal)
	* Norm Letnick (Kelowna–Lake Country BC Liberal)
	* Mike Morris (Prince George–Mackenzie BC Liberal)
	* Linda Reimer (Port Moody–Coquitlam BC Liberal)
	* Selina Robinson (Coquitlam-Maillardville NDP)
	* Shane Simpson (Vancouver-Hastings NDP)
	* Laurie Throness (Chilliwack-Hope BC Liberal)
	* denotes member present
Clerk:	Kate Ryan-Lloyd
Committee Staff:	Ron Wall (Committee Researcher)

Witnesses:	Alec Dale (Ministry of Environment)
	Cornell Dover (Office of the Auditor General)
	Tom Ethier (Ministry of Forests, Lands and Natural Resource Operations)
	Pam Hamilton (Office of the Auditor General)
	Jim Hughes (Ministry of Justice)
	Russ Jones (Acting Auditor General)
	David Lau (Office of the Auditor General)
	Chris Mah (Ministry of Justice)
	Stuart Newton (Comptroller General)
	Bobbi Sadler (Ministry of Justice)
	Morris Sydor (Office of the Auditor General)
	Ardice Todosichuk (Office of the Auditor General)
	Mark Zacharias (Ministry of Environment)

REPORT OF PROCEEDINGS (Hansard)

SELECT STANDING COMMITTEE ON PUBLIC ACCOUNTS

REPORT OF PROCEEDINGS
(Hansard)

SELECT STANDING COMMITTEE ON
PUBLIC ACCOUNTS