Internal Audit of Physical Security
March 2017
- Executive Summary
- Detailed Report
- Observations, Recommendations, and Management Action Plan
- Appendix
1. Executive Summary
1.1. Objective
The objective of the audit is to provide assurance that CIHR’s physical security environment protects its staff, assets and physical infrastructure from threats in compliance with the Policy on Government Security and other related Treasury Board policies.
1.2. Scope
The audit assessed if CIHR had established the required elements of a departmental security program for physical security, personnel screening, business continuity and disaster recovery planning in accordance with the Policy on Government Security including the:
- implementation of a governance structure with defined accountabilities, roles and responsibilities;
- implementation of ongoing risk management to identify and assess the threats, vulnerabilities and risks; and
- identification, implementation and ongoing monitoring and maintenance of controls to protect information, assets, facilities and staff.
The following areas were out of scope for the audit:
- CIHR’s 13 InstitutesFootnote 1;
- Security of electronic records, including confidentiality, integrity and accessibility; and
- Security of environmental systems such as heating, cooling, ventilation, fire safety, etc.
1.3. Overall Audit Opinion
The audit has concluded that physical security has moderate issues. Control weaknesses exist, but exposure is limited because the likelihood or the impact of the risk is not high.
1.4. Summary of Strengths
The following strengths were noted related to physical security:
- Security screening requirements for employee roles are established and controls are in place to ensure that employees have the necessary clearance before taking up their duties.
- Controls to ensure the proper assessment of security requirements for contracts have been built into the procurement processes and the process is followed.
- Access to the CIHR facility is assigned and maintained according to role requirements and is well-controlled.
1.5. Summary of Improvement Opportunities
The following aspects of physical security and business continuity and disaster recovery planning require management’s attention. These are presented along with the actions to be taken by management to address the risks. The observations, recommendations and management action plan are discussed in greater detail in the Detailed Report that follows the executive summary.
Observation 1: CIHR may be unable to continue essential operations in the case of an interruption due to gaps in business continuity and disaster recovery planning. Response 1: The current Business Continuity Plan (BCP) was approved in October 2011 by the Executive Management Committee (EMC). The Departmental Security Officer (DSO) is conducting consultations with Management to identify current requirements, review initial assumptions for the BCP-DRP (Disaster Recovery Plan), and update the BCP-DRP. Disaster scenarios (BCP) will be developed and table top exercises will be planned, executed and documented to maintain focus and ensure resources are put to best use in case of a crisis. |
Observation 2: Mandatory security awareness training is not completed by all new employees and there are gaps in current employees’ physical security knowledge. Response 2: Security will update the guidelines to provide more direction and precision on information handling. Storage requirements will be addressed and mitigated with training and a clean desk policy will be encouraged. Security is currently working on the design of a security awareness program and information management on-line training specific to CIHR. In our opinion, the Canada School of Public Service training module is too generic and basic. We will coordinate efforts with Information Management on the content of training and with Human Resources on having this training mandatory for all new and current employees. |
Observation 3: Physical Security risk assessments require updating and action items from previous assessments are not tracked to closure. Response 3: Following the last assessment, risks identified were mitigated and our threat and risk levels remain low. Security will review and assess the physical risk landscape to identify new or evolving risks to CIHR personnel and assets. CIHR Security will track the status of identified risks and action items to closure and will ensure through briefings and written notifications that management formally accepts residual risks. |
Observation 4: Personnel who handle sensitive documents are not always provided with approved storage containers and would benefit from additional guidance on classification and handling. Response 4: Less than 1% of information is classified at the SECRET level at CIHR. There are one or two TB submissions per year handled by Finance and a secure cabinet is available in the unit. The Policy and Government Relations unit handles Cabinet Confidences and correspondence from Ministers’ offices. Security will review the requirements and provide guidance to staff on the process and procedures related to the handling of SECRET documents. |
Observation 5: Screening requirements for Governing Council members should be clarified, documented and enforced. Response 5: CIHR Security is currently consulting with staff of the Governance Secretariat to provide guidance and direction on the process and the importance of having members screened prior to the beginning of their mandate. Security screening forms should become part of the selection process from the beginning. |
Observation 6: The Departmental Security Officer does not report functionally to the President or Executive Management Committee. Response 6: A letter of appointment of the DSO by the President of CIHR is under development and will be sent to the President for signature. Regular updates to EMC and the President on progress of the implementation of the Department Security Plan and other relevant updates will be provided once a year and when new risks are identified. |
Observation 7: There is no overall process for security incidents to ensure proper reporting and capture of data for trend analysis. Response 7: CIHR Security has a suite of processes and procedures in response to several types of incidents and we will develop a more formal process. It must be stated that our level of incidents is very low. |
1.6. Statement of Conformance
The Audit of Physical Security conforms with the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.
Internal Audit thanks management and staff for their assistance and cooperation throughout the audit.
David Peckham
Chief Audit Executive & Director General, Performance and Accountability
Canadian Institutes of Health Research
Management agrees with the conclusion of the audit.
Martin Bernier
Departmental Security Officer, Chief Information Officer & Director General Information Technology & Management Services
Canadian Institutes of Health Research
2. Detailed Report
2.1. Physical Security, Business Continuity and Disaster Recovery
Physical security comprises the policies, procedures and controls established to safeguard assets and employees from harm resulting from threats and vulnerabilities in the physical environment. Protection of government employees and assets is a key element of the Policy on Government Security which establishes the government-wide security requirements necessary to support the continued delivery of services to Canadians. Business continuity and disaster recovery planning establish the elements needed to minimize the effects of interruptions on the Agency’s critical processes through mitigating activities and the establishment of planned, recovery procedures.
The Policy on Government Security and its supporting directives and standards require ongoing assessment of risk to select, implement, monitor and maintain controls aimed at preventing, detecting, responding to and recovering from security incidents.
CIHR does not deliver services that are considered mission-critical in the broader context of the Government of Canada. Mission-critical services are defined as those that are critical to the health, safety, security or economic well-being of Canadians, or the effective functioning of government. While CIHR does not hold significant quantities of sensitive information, business processes do collect personal and confidential information from researchers, employees and other stakeholders. CIHR’s physical location in a privately-owned, publicly-accessible building close to the centre of government also carries security implications.
2.2. Risks Addressed by the Audit
Risks specific to physical security were identified and assessed. Broadly, these potential risks can be summarized as:
- The Security Program at CIHR may not effectively address the physical security and business continuity requirements of the Agency.
- CIHR may not have identified its critical business processes and established a business continuity and disaster recovery plan in the event of an incident impacting its operations at the 160 Elgin Street location.
- CIHR may not have adequately identified and assessed the threats and vulnerabilities that could impact the safety and security of employees and assets.
- CIHR may not have implemented the appropriate physical security safeguards to reduce the identified risks to an acceptable level of residual risk.
- The governance structure and accountabilities, roles and responsibilities related to physical security and business continuity may not be clearly established and understood.
Consideration was also given to organizational risks as documented in the corporate risk profile and the general risk categories as presented in the Treasury Board Guide to Risk Taxonomies.
2.3. Methodology and Criteria
The Internal Audit of Physical Security is part of the 2015-18 Risk-Based Audit Plan, as approved by CIHR’s Governing Council.
The audit was conducted in accordance with the Federal Government’s Policy on Internal Audit and related instruments. The principal audit techniques used included:
- Interviews with management and staff of CIHR;
- The examination of relevant policies, legislation, reports, employee role profiles, meeting minutes, records of decision, organizational charts, and other documentation used; and
- Walkthroughs, inspections and testing of physical security controls.
Controls were assessed as adequate if they were sufficient to minimize the risks that threaten the achievement of objectives. Detailed criteria and conclusions are contained in the Appendix of this report.
The audit was conducted between September 2016 and February 2017.
3. Observations, Recommendations, and Management Action Plan
Observation | Recommendation | Management Action Plan |
---|---|---|
1. CIHR may be unable to continue essential operations in the case of an interruption due to gaps in business continuityFootnote 2 and disaster recovery planning. (Criteria #7, #15, #16, #17) | ||
A review of CIHR’s continuity and disaster recovery documentation noted several gaps that could impair or delay the Agency’s ability to resume business operations should an incident occur. While CIHR does not deliver services that are deemed mission critical to the Government of Canada, departments and agencies should establish a business continuity program to address other-than-critical services.Footnote 3 The current plan has gaps Roles and responsibilities need to be better defined for ensuring readiness of the program Resource and service allocation need to be clarified. Business continuity plans should reflect current business priorities and be tested for ongoing effectiveness
The DSO and Security team recognize these gaps, and activities are underway to review and revise the Business Continuity Plan. Information technology recovery options are being explored so that management can consider recovery cost information in the prioritization of essential services. Risk and Impact |
1a) Establish, document and communicate the governance structure for the Business Continuity Planning program, including accountabilities, roles and responsibilities for all required elements. 1b) Conduct a business impact analysis to identify the critical services required to continue operations in the event of an interruption. Obtain agreement from senior management on the priority and level of operations required for each service, taking into account the cost of continuance and/or recovery of services. 1c) Update the business continuity plan to reflect the results of 1a) and 1b), and ensure supporting elements including the disaster recovery plan are identified and aligned. 1d) Establish and document a process for regular testing, review and update of the business continuity plan and supporting elements, including how test results will be used to inform future iterations of the plans. |
1a) to 1d) Responsibilities Action: Disaster scenarios (BCP) will be developed and table top exercises will be planned, executed and documented to maintain focus and ensure resources are put to best use in case of a crisis. Expected Completion |
2. Mandatory security awareness training is not completed by all new employees and gaps exist in current employees’ physical security knowledge. (Criterion #21) | ||
CIHR has recently updated its onboarding process to include mandatory Security Awareness training for term and indeterminate employees. This training is available online from the Canada School of Public Service. It is up to the supervisor to ensure that new employees attend this training. During the period between November 2015 and November 2016, there were fourteen new term and indeterminate employees of whom only two completed the training. Ongoing security awareness for employees is provided through the Security page on the Intranet, CIHR-wide communications for specific incidents and activities during the annual Government of Canada Security Awareness Week in February. The February 2016 week was primarily focused on information technology security, but physical security was also addressed by materials and activities. [redacted for security reasons] During an inspection conducted during core business hours, no classified documents were left exposed; however some documents containing personal information and other sensitive data were observed in unattended offices and cubicles. An after-hours inspection had similar results, including a document with sensitive employee information. It was also observed that many files designated PROTECTED are left unsecured in cubicles overnight, contrary to the guidance provided in the CIHR Protecting and Handling InformationFootnote 4 document. Risk and Impact |
2a) Review and update the “Protecting and Handling Information” guideline to include more specific directions on the handling and storage of CIHR files. 2b) Ensure employees have adequate storage cabinets in accordance with the files they handle and the storage requirements; consider implementing a clean-desk policy. 2c) Ensure that security awareness training and materials include physical security aspects such as access to the premises and the proper protection of documents. 2d) Ensure new and on strength employees attend the CSPS Security Awareness Training course as required. |
2a) Responsibility Action: Expected Completion 2b) Responsibility Action: Expected completion: 2c and d) Responsibility Action: Expected completion: |
3. Physical Security risk assessments require updating and action items from previous assessments are not tracked to closure (Criteria #8, #13) | ||
The Directive on Departmental Security ManagementFootnote 5 requires the Agency to “develop, document, implement and maintain processes for the systematic management of security risks to ensure continuous adaptation to the changing needs of the department and threat environment.” Threat and risk assessments are a key element of these processes, used to identify areas where security provisions over and above the required government baselines are needed. The last documented risk assessment of the physical space occupied by CIHR occurred in 2009 when a Threat and Risk Assessment (TRA) was conducted on the 9th floor reception area and the President’s office at 160 Elgin Street. Recommendations were made to address risks identified in three areas - employee safety, facility perimeter security, and classified information / equipment holdings. While modifications were made to the staffing of the reception desk on a 24 hour basis with Commissionaires, and video surveillance was added, not all the recommendations were implemented. The status of the items was not formally tracked to either implement them or have management accept the risk. Tracking the status of recommendations and their associated actions is a key component of ensuring that risks are both understood and either mitigated or accepted by management. Periodic review ensures that any changes to either the internal or external environment are identified and assessed for impact. Although CIHR has not changed its physical location since its inception, there have been changes in the surrounding environment such as new building tenants and renovations to the building lobby. These modifications, along with internal changes, such as new working hours or movement of personnel with the office space, could increase physical security risks. Risk and Impact |
3a) Conduct a threat and risk assessment of physical security risks for the CIHR location. 3b) Document a schedule and identify triggering events for review and re-evaluation of risks related to physical security. 3c) Track the status of identified risks and action items to closure. Ensure management formally accepts residual risks. |
3a and b) Responsibilities Action: Expected Completion 3c) Responsibility Action: Expected completion: |
4. Personnel who handle sensitive documents are not always provided with approved storage containers and would benefit from additional guidance on classification and handling. (Criteria #22, #30) | ||
The majority of information received and processed by CIHR is unclassified or at most PROTECTED B. There is a limited amount of information considered more sensitive that may be classified at the SECRET level. This information primarily comprises Cabinet Confidences whose classification and handling are governed by the Privy Council Office’s Policy on the Protection of Cabinet Confidences.Footnote 6 Cabinet Confidences are handled by a subset of CIHR staff: these documents include Memorandums to Cabinet, Budget Submissions, and Submissions to Treasury Board, along with supporting documentation and other briefing materials sent to or received from the Minister’s office. While key staff members who receive and coordinate information with the Minister’s office have been provided with the appropriate cabinets for storing sensitive information, not all personnel that handle these documents are so equipped. The CIHR document Protecting and Handling InformationFootnote 7 reflects the Policy on the Protection of Cabinet Confidences and other Treasury Board policies. It provides guidance to CIHR staff on classifying and protecting information received, created, processed and stored at CIHR. This guidance document recommends that submissions to Treasury Board be classified as SECRET. However, the Policy on the Protection of Cabinet Confidences stipulates that submissions to Treasury Board and supporting materials be classified according to their content with a minimum classification of PROTECTEDB. Interviews with staff that handle these documents found that a mix of classifications is used and additional guidance would be useful. Treasury Board submissions classified as SECRETwere not stored in approved cabinets. Although not documented, there is a general understanding within CIHR that Treasury Board submissions do not have the same level of sensitivity once they have been approved by the Board and may be handled and stored differently than before they are approved. However, the Policy on the Protection of Cabinet Confidences states “Cabinet confidences that have been in existence for more than 20 years may be declassified or downgraded by the originating organization in accordance with departmental criteria for the declassification or downgrading of sensitive information.” Risk and Impact |
4a) Review the guidance for classification of Treasury Board Submissions, update as appropriate and ensure staff are aware of the full life-cycle requirements for these documents. 4b) Ensure all staff who handle paper copies of Cabinet Confidences are identified and provided with secure storage containers. |
4a and b) Responsibilities Action: Security will review the requirements and provide guidance to staff on the process and procedures related to the handling of SECRET documents. Expected Completion |
5. Screening requirements for Governing Council members should be clarified, documented and enforced. (Criteria #24) | ||
Members of the CIHR Governing Council are appointed by the Governor-in-Council through a process defined by the Privy Council Office. Part of the Privy Council Office process includes a background check on the candidate comprised of the following elements:
The results of the background check are confidential to the Privy Council Office and not shared with CIHR. While the history and origin of this requirement is not recorded, current internal practice asserts that Governing Council members be screened to the SECRET level. A review of the clearance status of Governing Council members as of November 2016 found that only four of the fourteen active members held this security clearance level. Through discussion with staff, the primary reason for Governing Council members not obtaining this clearance level is a delay in completion and return of the necessary forms to CIHR form members. Risk and Impact While the risk may be somewhat mitigated by the background checks conducted by the Privy Council Office, it is CIHR that has the responsibility to ensure those provided with sensitive information have met the necessary clearance requirements. |
5a) The required clearance level for Governing Council member should be analyzed, assessed against the current checks that are completed through the Governor-in-Council process, and the requirements documented. 5b) Ensure Governing Council members are cleared to the required level prior to gaining access to sensitive materials. Assign ownership to the appropriate group for ensuring members complete and return required documentation. |
5a and 5b) Responsibilities Action: CIHR Security is currently consulting with staff of the Governance Secretariat to provide guidance and direction on the process and the importance of having members screened prior to the beginning of their mandate. Security screening forms should become part of the selection process from the beginning. Expected Completion |
6. The Departmental Security Officer does not report functionally to the President or Executive Management Committee. (Criterion #2, #5, #14 ) | ||
The Policy on Government SecurityFootnote 9 requires the Departmental Security Officer to be functionally responsible to the Deputy Head (the President) or the departmental executive committee (Executive Management Committee). Such a relationship facilitates the Departmental Security Officer’s ability to carry out their duty to recommend appropriate remedial action to the deputy head or senior management committee (as appropriate) in order to address any identified deficiencies in the Agency security program.Footnote 10 The CIHR Departmental Security Officer is also the Chief Information Officer and Director General of Information Technology Management and reports to the Vice-President, Resource Planning and Management. The Departmental Security Officer does have regular status updates with the President providing an opportunity to discuss security matters directly with the Deputy Head; however this reporting relationship is not formalized. Past Departmental Security Officers were formally appointed into and delegated the authority of the role through a letter from the President; however, this was not completed for the current Departmental Security Officer. Formal delegation of authority ensures that accountabilities and responsibilities are clear. The Departmental Security Plan is developed by the Departmental Security Officer and identifies the security objectives for the Agency over a three-year period. Both the previous and current Departmental Security Plans included the short and medium-term actions required to achieve these security objectives. Monitoring and oversight of progress against the plan enables senior management to assess progress towards the security objectives and the mitigation of identified risks. However, regular updates on progress against the recommendations in the previous Departmental Security Plans were not provided to EMC, and while the current plan includes performance measures and recommendations on reporting, the frequency and report recipients are not detailed. Regular updates to EMC and the President on progress of the implementation of the Department Security Plan will provide visibility for security at the Senior Management level and support the oversight and monitoring of the security program. Risk and Impact |
6a) Formally appoint the Departmental Security Officer with a functional reporting line to the President or the Executive Management Committee. 6b) Implement regular, periodic reporting to the Executive Management Committee on progress against the Departmental Security Plan. |
6a) Responsibility Action: Expected completion: 6b) Responsibility Agreed Expected completion: |
7. There is no overall process for security incidents to ensure proper reporting and capture of data for trend analysis. (Criteria #18) | ||
The Operational Security Standard on Physical SecurityFootnote 11 requires departments to establish measures to respond to physical security incidents that ensure they are reported to appropriate security officials, and that immediate and long-term corrective action is taken in a timely fashion. While the immediate response to an incident is of paramount importance to ensure the protection of employees and assets, incident analysis, lessons learned and corrective actions are also part of effective ongoing security and risk management. CIHR has defined procedures for handling security incidents that are specific to the type of incident as follows:
These procedures are focused on initial reporting of incidents, and in some cases, the initial response approach. Notifying CIHR Security is part of all procedures; however the steps subsequently taken by Security and other stakeholders are not fully documented. A documented framework or process that allows for security incidents to be triaged and the appropriate course of action taken through to final closure would ensure all stakeholders are involved as required. A standardized approach to the collection of information about security incidents also allows for analysis of trends to identify risk areas as well as possible gaps in security awareness and training of employees. Risk and Impact |
7a) Establish and document a process to classify security incidents to ensure that:
|
7a) Responsibility Action It must be stated that our level of incidents is very low. Expected completion: |
During the course of our audit, some minor opportunities for improvement were identified that could strengthen systems of internal control, streamline operations and/or enhance processes related to physical security. We have documented these observations in a management letter.
4. Appendix
4.1. Audit Criteria
The audit uses the following definitions to make its assessment of the internal control framework.
Conclusion on Audit Criteria | Definition of Opinion |
---|---|
Well controlled | Well managed, no material weaknesses noted or only minor improvements are needed. |
Moderate issues | Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high. |
Significant improvements required | Control weaknesses either individually or cumulatively represent the possibility of serious exposure. |
4.2. Overall conclusion
The audit has concluded that physical security has moderate issues. Control weaknesses exist, but exposure is limited because the likelihood or the impact of the risk is not high.
Criteria | Reference to Observations | Conclusion |
---|---|---|
Line of Inquiry 1 – Governance ( Accountabilities, Roles & Responsibilities) | ||
1. The President has established a security program for the coordination and management of departmental security activities. | No exceptions noted | Well controlled |
2. The security program has a governance structure with clear accountabilities, including the appointment of a Departmental Security Officer functionally responsible to the deputy head or the executive committee (EMC). | Audit report observation #6 | Moderate Issues |
3. The President has not delegated his authority to deny, revoke or suspend security clearances. | No exceptions noted | Well controlled |
4. The security program has defined objectives aligned with departmental and government-wide policies, priorities and plans. | No exceptions noted | Well controlled |
5. The security program is monitored, assessed and reported on to measure management efforts, resources and success toward achieving its expected results, including achieving and maintaining an acceptable level of residual risk. | Audit report observation #6 | Moderate Issues |
6. Accountabilities, delegations, reporting relationships and roles & responsibilities of Agency employees with physical security responsibilities are defined, documented and communicated. | Management letter observation #1 | Well controlled |
7. A Business Continuity Program has been established with a supporting governance structure including establishing accountabilities for Senior Management and appointment of a BCP coordinator. | Audit report observation #1 | Moderate Issues |
Line of Inquiry 2 - Risk Management | ||
8. There is a documented process for the systematic identification, assessment and management of security threats, risks and vulnerabilities to physical assets. The process includes ongoing monitoring of these risks and adaptation to changes within the Agency and in the threat environment. | Audit report observation #3 | Moderate Issues |
9. The Departmental Security Officer (DSO) has developed and implemented a Departmental Security Plan (DSP) and the plan is updated periodically. | No exceptions noted | Well controlled |
10. The DSP provides an integrated view of the Agency’s security requirements, outlining strategies, objectives priority and timelines for improving the Agency’s security posture. Security posture refers to the combination of policies, procedures and controls that comprise the Agency’s overall approach to security. | No exceptions noted | Well controlled |
11. The DSP identifies security threats, risk and vulnerabilities to determine an appropriate set of control objectives | No exceptions noted | Well controlled |
12. The DSP identifies and establishes minimum and additional controls when necessary to meet control objectives and achieve an acceptable level of residual risk | No exceptions noted | Well controlled |
13. Residual risks defined in the DSP are formally accepted by the appropriate level of management | Audit report observation #3 | Moderate Issues |
14. The DSO has implemented a quality assurance program to verify that security controls most efficiently and effectively meet departmental security requirements | Audit report observation #6 | Moderate Issues |
15. A business impact analysis has been conducted to assess the impacts of disruptions on the department and to identify and prioritize critical services and associated assets. | Audit report observation #1 | Moderate Issues |
16. A business continuity plan has been developed in response to the results of the business impact analysis and has been approved by senior management. | Audit report observation #1 | Moderate Issues |
17. Business Continuity Program readiness is established through regular testing, review and revision of the plan and training of staff. | Audit report observation #1 | Moderate Issues |
Line of Inquiry 3 - Physical and Personnel Security Controls | ||
18. A documented process exists to handle security incidents, including identification of when there is a requirement to report to central agencies. | Audit report observation #7 | Moderate Issues |
19. Security requirements are integrated into business planning, programs, services and other management activities. | No exceptions noted | Well controlled |
20. Security requirements are taken into consideration in contracting. | No exceptions noted | Well controlled |
21. Managers and employees are aware of their roles and responsibilities with respect to physical security and the protection of assets. | Audit report observation #2 | Moderate Issues |
22. The Agency has established guidance for the classification and designation of information that assigns the proper level in accordance with established criteria for the GC. The guidance is reviewed and updated periodically. | Audit report observation #4 | Moderate Issues |
23. The DSO or delegate has established and documented the security screening requirements for the Agency and these requirements are reviewed periodically or when significant changes occur. | No exceptions noted | Well controlled |
24. The DSO or delegate has established and documented security screening procedures for the Agency that are coordinated with Human Resource procedures and address the full lifecycle from granting through maintenance and revocation if required. The procedures are reviewed and updated periodically. | Audit report observation #5 Management letter observation #2 |
Moderate Issues |
25. A security file is maintained for individuals who undergo screenings in accordance with the Treasury Board defined Standard Personal Information Bank (PIB). | No exceptions noted | Well controlled |
26. Managers and employees are aware of their roles and responsibilities with respect to personnel security screening. | No exceptions noted | Well controlled |
27. Physical access to protected and classified assets is based on hierarchy of zones. | No exceptions noted | Well controlled |
28. Access to restricted-access areas is controlled using safeguards that grant access only to authorized personnel, including: identification cards, access badges, electronic access control, closed-circuit video, security control centre, secure rooms & security guards. | Management letter observation #3 | Well controlled |
29. Facility management activities including leases, cleaning & maintenance, signage, locking hardware, key control and representation on the facility security committee are carried out in accordance with the Operational Security Standard on Physical Security | Management letter observation #4 | Well controlled |
30. Protected and classified assets are stored in approved containers and restricted-access areas. | Audit report observation #4 | Moderate Issues |
31. An inventory system has been implemented to track assets of value throughout their lifecycle and is maintained and verified on a regular basis. | No exceptions noted | Well controlled |
32. Authorized physical access to protected and classified assets is maintained during transportation and when working offsite. | No exceptions noted | Well controlled |
33. Authorized access to protected and classified assets is maintained up to and including the disposal process and the disposal process is in accordance with the Operational Security Standard on Physical Security. | Management letter observations #5 & #6 | Well controlled |
- Date modified: