Internal Audit of Physical Security

March 2017

  1. Executive Summary
  2. Detailed Report
  3. Observations, Recommendations, and Management Action Plan
  4. Appendix

1. Executive Summary

1.1. Objective

The objective of the audit is to provide assurance that CIHR’s physical security environment protects its staff, assets and physical infrastructure from threats in compliance with the Policy on Government Security and other related Treasury Board policies.

1.2. Scope

The audit assessed if CIHR had established the required elements of a departmental security program for physical security, personnel screening, business continuity and disaster recovery planning in accordance with the Policy on Government Security including the:

The following areas were out of scope for the audit:

1.3. Overall Audit Opinion

The audit has concluded that physical security has moderate issues. Control weaknesses exist, but exposure is limited because the likelihood or the impact of the risk is not high.

1.4. Summary of Strengths

The following strengths were noted related to physical security:

1.5. Summary of Improvement Opportunities

The following aspects of physical security and business continuity and disaster recovery planning require management’s attention. These are presented along with the actions to be taken by management to address the risks. The observations, recommendations and management action plan are discussed in greater detail in the Detailed Report that follows the executive summary.

Observation 1:

CIHR may be unable to continue essential operations in the case of an interruption due to gaps in business continuity and disaster recovery planning.

Response 1:

The current Business Continuity Plan (BCP) was approved in October 2011 by the Executive Management Committee (EMC). The Departmental Security Officer (DSO) is conducting consultations with Management to identify current requirements, review initial assumptions for the BCP-DRP (Disaster Recovery Plan), and update the BCP-DRP.  Disaster scenarios (BCP) will be developed and table top exercises will be planned, executed and documented to maintain focus and ensure resources are put to best use in case of a crisis.

Observation 2:

Mandatory security awareness training is not completed by all new employees and there are gaps in current employees’ physical security knowledge.

Response 2:

Security will update the guidelines to provide more direction and precision on information handling. Storage requirements will be addressed and mitigated with training and a clean desk policy will be encouraged. Security is currently working on the design of a security awareness program and information management on-line training specific to CIHR. In our opinion, the Canada School of Public Service training module is too generic and basic. We will coordinate efforts with Information Management on the content of training and with Human Resources on having this training mandatory for all new and current employees.

Observation 3:

Physical Security risk assessments require updating and action items from previous assessments are not tracked to closure.

Response 3:

Following the last assessment, risks identified were mitigated and our threat and risk levels remain low. Security will review and assess the physical risk landscape to identify new or evolving risks to CIHR personnel and assets. CIHR Security will track the status of identified risks and action items to closure and will ensure through briefings and written notifications that management formally accepts residual risks.

Observation 4:

Personnel who handle sensitive documents are not always provided with approved storage containers and would benefit from additional guidance on classification and handling.

Response 4:

Less than 1% of information is classified at the SECRET level at CIHR. There are one or two TB submissions per year handled by Finance and a secure cabinet is available in the unit. The Policy and Government Relations unit handles Cabinet Confidences and correspondence from Ministers’ offices. Security will review the requirements and provide guidance to staff on the process and procedures related to the handling of SECRET documents.

Observation 5:

Screening requirements for Governing Council members should be clarified, documented and enforced.

Response 5:

CIHR Security is currently consulting with staff of the Governance Secretariat to provide guidance and direction on the process and the importance of having members screened prior to the beginning of their mandate. Security screening forms should become part of the selection process from the beginning.

Observation 6:

The Departmental Security Officer does not report functionally to the President or Executive Management Committee.

Response 6:

A letter of appointment of the DSO by the President of CIHR is under development and will be sent to the President for signature. Regular updates to EMC and the President on progress of the implementation of the Department Security Plan and other relevant updates will be provided once a year and when new risks are identified.

Observation 7:

There is no overall process for security incidents to ensure proper reporting and capture of data for trend analysis.

Response 7:

CIHR Security has a suite of processes and procedures in response to several types of incidents and we will develop a more formal process. It must be stated that our level of incidents is very low.

1.6. Statement of Conformance

The Audit of Physical Security conforms with the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.

Internal Audit thanks management and staff for their assistance and cooperation throughout the audit.

David Peckham
Chief Audit Executive & Director General, Performance and Accountability
Canadian Institutes of Health Research

Management agrees with the conclusion of the audit.

Martin Bernier
Departmental Security Officer, Chief Information Officer & Director General Information Technology & Management Services
Canadian Institutes of Health Research

2. Detailed Report

2.1. Physical Security, Business Continuity and Disaster Recovery

Physical security comprises the policies, procedures and controls established to safeguard assets and employees from harm resulting from threats and vulnerabilities in the physical environment. Protection of government employees and assets is a key element of the Policy on Government Security which establishes the government-wide security requirements necessary to support the continued delivery of services to Canadians. Business continuity and disaster recovery planning establish the elements needed to minimize the effects of interruptions on the Agency’s critical processes through mitigating activities and the establishment of planned, recovery procedures.

The Policy on Government Security and its supporting directives and standards require ongoing assessment of risk to select, implement, monitor and maintain controls aimed at preventing, detecting, responding to and recovering from security incidents.

CIHR does not deliver services that are considered mission-critical in the broader context of the Government of Canada. Mission-critical services are defined as those that are critical to the health, safety, security or economic well-being of Canadians, or the effective functioning of government. While CIHR does not hold significant quantities of sensitive information, business processes do collect personal and confidential information from researchers, employees and other stakeholders. CIHR’s physical location in a privately-owned, publicly-accessible building close to the centre of government also carries security implications.

2.2. Risks Addressed by the Audit

Risks specific to physical security were identified and assessed. Broadly, these potential risks can be summarized as:

Consideration was also given to organizational risks as documented in the corporate risk profile and the general risk categories as presented in the Treasury Board Guide to Risk Taxonomies.

2.3. Methodology and Criteria

The Internal Audit of Physical Security is part of the 2015-18 Risk-Based Audit Plan, as approved by CIHR’s Governing Council.

The audit was conducted in accordance with the Federal Government’s Policy on Internal Audit and related instruments. The principal audit techniques used included:

Controls were assessed as adequate if they were sufficient to minimize the risks that threaten the achievement of objectives. Detailed criteria and conclusions are contained in the Appendix of this report.

The audit was conducted between September 2016 and February 2017.

3. Observations, Recommendations, and Management Action Plan

Observation Recommendation Management Action Plan
1. CIHR may be unable to continue essential operations in the case of an interruption due to gaps in business continuityFootnote 2 and disaster recovery planning. (Criteria #7, #15, #16, #17)

A review of CIHR’s continuity and disaster recovery documentation noted several gaps that could impair or delay the Agency’s ability to resume business operations should an incident occur. While CIHR does not deliver services that are deemed mission critical to the Government of Canada, departments and agencies should establish a business continuity program to address other-than-critical services.Footnote 3

The current plan has gaps
The primary documentation source for business continuity at CIHR is the Business Continuity Plan. The plan is premised on the CIHR offices being inaccessible and focused on providing an alternate location for CIHR management to convene and plan for recovery. A prioritization of business operations is not included as the plan does not envision immediate recovery of operations. Other existing CIHR documents relevant to business continuity include a Pandemic Business Continuity Plan, Disaster Recovery Plan and IT Recovery Options Report. These documents are inconsistent in how they prioritize services for recovery, and may not represent CIHR’s current business priorities.

Roles and responsibilities need to be better defined for ensuring readiness of the program
The Business Continuity Plan defines the roles and responsibilities of a Crisis Management Team, and identifies primary and backup personnel to fill these roles. The plan documents the responsibilities of the team once an incident has occurred; however the teams’ role in the development, approval and ensuring the readiness of the program is not well-defined.

Resource and service allocation need to be clarified.
The current business continuity plan is IT focused but continuity of services also requires staff and data in addition to systems and technology. These additional accountabilities should be considered in the governance structure.

Business continuity plans should reflect current business priorities and be tested for ongoing effectiveness
The current plan should be further developed to include key elements to improve its clarity and breadth including:

  • clearly  identifying and agreeing on which services are essential to the Agency in the case of an incident
  • defining all the elements needed to support essential business activities identified including staff, information and systems within the timelines defined by management.
  • linking to other key processes such as emergency preparedness depending on the nature of the event
  • dependencies and commitments to third-parties should also be considered, both those where CIHR relies on a service, such as the Common Payment System, or where we have made a service commitment to other organizations, such as support for the Common CV
  • developing the schedule and approach for review and refresh or renewal of the plan
  • detail of monitoring including how often it will be tested, the different types of tests to be carried out, and how the test results will be fed back into the review and refresh process.

The DSO and Security team recognize these gaps, and activities are underway to review and revise the Business Continuity Plan. Information technology recovery options are being explored so that management can consider recovery cost information in the prioritization of essential services.

Risk and Impact
Lack of adequate business continuity and disaster recovery planning leaves CIHR vulnerable to unnecessary or extended outages in the delivery of services. Insufficient input from Senior Management may result in a focus on continuity and recovery of business services that do not directly support CIHR strategic business priorities; resources may be misdirected in these efforts.

1a) Establish, document and communicate the governance structure for the Business Continuity Planning program, including accountabilities, roles and responsibilities for all required elements.

1b) Conduct a business impact analysis to identify the critical services required to continue operations in the event of an interruption. Obtain agreement from senior management on the priority and level of operations required for each service, taking into account the cost of continuance and/or recovery of services.

1c) Update the business continuity plan to reflect the results of 1a) and 1b), and ensure supporting elements including the disaster recovery plan are identified and aligned.

1d) Establish and document a process for regular testing, review and update of the business continuity plan and supporting elements, including how test results will be used to inform future iterations of the plans.

1a) to 1d) Responsibilities
Departmental Security Officer

Action:  
Agreed
The current BCP was approved in October 2011 by EMC. The DSO is currently conducting consultations with Management to identify current requirements, review initial assumptions for the BCP-DRP, and update the BCP-DRP.

Disaster scenarios (BCP) will be developed and table top exercises will be planned, executed and documented to maintain focus and ensure resources are put to best use in case of a crisis.

Expected Completion
March 31, 2018

2. Mandatory security awareness training is not completed by all new employees and gaps exist in current employees’ physical security knowledge. (Criterion #21)

CIHR has recently updated its onboarding process to include mandatory Security Awareness training for term and indeterminate employees. This training is available online from the Canada School of Public Service. It is up to the supervisor to ensure that new employees attend this training. During the period between November 2015 and November 2016, there were fourteen new term and indeterminate employees of whom only two completed the training.

Ongoing security awareness for employees is provided through the Security page on the Intranet, CIHR-wide communications for specific incidents and activities during the annual Government of Canada Security Awareness Week in February. The February 2016 week was primarily focused on information technology security, but physical security was also addressed by materials and activities.

[redacted for security reasons]

During an inspection conducted during core business hours, no classified documents were left exposed; however some documents containing personal information and other sensitive data were observed in unattended offices and cubicles.

An after-hours inspection had similar results, including a document with sensitive employee information. It was also observed that many files designated PROTECTED are left unsecured in cubicles overnight, contrary to the guidance provided in the CIHR Protecting and Handling InformationFootnote 4 document.

Risk and Impact
CIHR personnel play an important role both in their own protection and protection of CIHR information and assets. Lack of detailed guidelines and awareness on physical security and document storage may result in exposure of personnel and information.

2a) Review and update the “Protecting and Handling Information” guideline to include more specific directions on the handling and storage of CIHR files.

2b) Ensure employees have adequate storage cabinets in accordance with the files they handle and the storage requirements; consider implementing a clean-desk policy.

2c) Ensure that security awareness training and materials include physical security aspects such as access to the premises and the proper protection of documents.

2d) Ensure new and on strength employees attend the CSPS Security Awareness Training course as required.

2a) Responsibility
Departmental Security Officer

Action:
Agreed
Security will update the guideline to provide more direction and precision on information handling.

Expected Completion
December 2017

2b) Responsibility
Departmental Security Officer

Action:
Partially agreed
Storage requirements will be addressed and mitigated with training and a clean desk policy will be encouraged.

Expected completion:
September 2017

2c and d) Responsibility
Departmental Security Officer

Action:
Agreed
Security is currently working on the design of a security awareness program and information management on-line training specific to CIHR. In our opinion, the CSPS training module is too generic and basic. We will coordinate efforts with Information Management on the content of training and with HR on having this training mandatory for all new and current employees.

Expected completion:
March 31, 2018

3. Physical Security risk assessments require updating and action items from previous assessments are not tracked to closure (Criteria #8, #13)

The Directive on Departmental Security ManagementFootnote 5 requires the Agency to “develop, document, implement and maintain processes for the systematic management of security risks to ensure continuous adaptation to the changing needs of the department and threat environment.” Threat and risk assessments are a key element of these processes, used to identify areas where security provisions over and above the required government baselines are needed.

The last documented risk assessment of the physical space occupied by CIHR occurred in 2009 when a Threat and Risk Assessment (TRA) was conducted on the 9th floor reception area and the President’s office at 160 Elgin Street. Recommendations were made to address risks identified in three areas - employee safety, facility perimeter security, and classified information / equipment holdings. While modifications were made to the staffing of the reception desk on a 24 hour basis with Commissionaires, and video surveillance was added, not all the recommendations were implemented. The status of the items was not formally tracked to either implement them or have management accept the risk.

Tracking the status of recommendations and their associated actions is a key component of ensuring that risks are both understood and either mitigated or accepted by management. Periodic review ensures that any changes to either the internal or external environment are identified and assessed for impact.

Although CIHR has not changed its physical location since its inception, there have been changes in the surrounding environment such as new building tenants and renovations to the building lobby. These modifications, along with internal changes, such as new working hours or movement of personnel with the office space, could increase physical security risks.

Risk and Impact
Unidentified risks in the physical environment could pose a threat to the security of CIHR employees and information assets. Lack of tracking can result in identified risks not being addressed or re-work during subsequent risk assessment activities.

3a) Conduct a threat and risk assessment of physical security risks for the CIHR location.

3b) Document a schedule and identify triggering events for review and re-evaluation of risks related to physical security.

3c) Track the status of identified risks and action items to closure. Ensure management formally accepts residual risks.

3a and b) Responsibilities
Departmental Security Officer

Action:
Agreed
Following the last assessment, risks identified were mitigated and our threat and risk levels remain low.
Security will review and assess the physical risk landscape to identify new or evolving risks to CIHR personnel and assets.

Expected Completion
September 30, 2017

3c) Responsibility
Departmental Security Officer

Action:
Agreed
CIHR Security will track the status of identified risks and action items (3a and 3b) to closure and will ensure through briefings and written notifications that management formally accepts residual risks.

Expected completion:
March 31, 2018

4. Personnel who handle sensitive documents are not always provided with approved storage containers and would benefit from additional guidance on classification and handling. (Criteria #22, #30)

The majority of information received and processed by CIHR is unclassified or at most PROTECTED B. There is a limited amount of information considered more sensitive that may be classified at the SECRET level. This information primarily comprises Cabinet Confidences whose classification and handling are governed by the Privy Council Office’s Policy on the Protection of Cabinet Confidences.Footnote 6

Cabinet Confidences are handled by a subset of CIHR staff: these documents include Memorandums to Cabinet, Budget Submissions, and Submissions to Treasury Board, along with supporting documentation and other briefing materials sent to or received from the Minister’s office. While key staff members who receive and coordinate information with the Minister’s office have been provided with the appropriate cabinets for storing sensitive information, not all personnel that handle these documents are so equipped.

The CIHR document Protecting and Handling InformationFootnote 7 reflects the Policy on the Protection of Cabinet Confidences and other Treasury Board policies. It provides guidance to CIHR staff on classifying and protecting information received, created, processed and stored at CIHR.

This guidance document recommends that submissions to Treasury Board be classified as SECRET. However, the Policy on the Protection of Cabinet Confidences stipulates that submissions to Treasury Board and supporting materials be classified according to their content with a minimum classification of PROTECTEDB.

Interviews with staff that handle these documents found that a mix of classifications is used and additional guidance would be useful. Treasury Board submissions classified as SECRETwere not stored in approved cabinets.

Although not documented, there is a general understanding within CIHR that Treasury Board submissions do not have the same level of sensitivity once they have been approved by the Board and may be handled and stored differently than before they are approved. However, the Policy on the Protection of Cabinet Confidences states “Cabinet confidences that have been in existence for more than 20 years may be declassified or downgraded by the originating organization in accordance with departmental criteria for the declassification or downgrading of sensitive information.”

Risk and Impact
Protection of Cabinet Confidences is a convention that “protects the collective decision-making process and solidarity of Ministers, enabling them to support government decisions despite any differing views”.Footnote 8 Exposure of this information as a result of improper handling could impact decision-making within the Health portfolio and loss of trust in CIHR from other government departments. Conversely, over-classification can result in unnecessary costs and impacts to productivity.

4a) Review the guidance for classification of Treasury Board Submissions, update as appropriate and ensure staff are aware of the full life-cycle requirements for these documents.

4b) Ensure all staff who handle paper copies of Cabinet Confidences are identified and provided with secure storage containers.

4a and b) Responsibilities
Departmental Security Officer

Action:
Agreed
Less than 1% of information is classified at the SECRET level at CIHR. There are one or two TB submissions per year handled by Finance and a secure cabinet is available in the unit. The Policy and Government Relations unit handles Cabinet Confidences and correspondence from Ministers’ offices.

Security will review the requirements and provide guidance to staff on the process and procedures related to the handling of SECRET documents.

Expected Completion
June 2017

5. Screening requirements for Governing Council members should be clarified, documented and enforced. (Criteria #24)  

Members of the CIHR Governing Council are appointed by the Governor-in-Council through a process defined by the Privy Council Office. Part of the Privy Council Office process includes a background check on the candidate comprised of the following elements:

  • police records check by the RCMP;
  • Canadian Security Intelligence Service indices check; and
  • a verification with the Canada Revenue Agency for any compliance-related issues.

The results of the background check are confidential to the Privy Council Office and not shared with CIHR.

While the history and origin of this requirement is not recorded, current internal practice asserts that Governing Council members be screened to the SECRET level. A review of the clearance status of Governing Council members as of November 2016 found that only four of the fourteen active members held this security clearance level.

Through discussion with staff, the primary reason for Governing Council members not obtaining this clearance level is a delay in completion and return of the necessary forms to CIHR form members.

Risk and Impact
Security screening is one of the elements required to mitigate potential improper use and disclosure of sensitive information. Without verifying the background of committee members who have a need to review sensitive documents, there is a risk of information misuse or exposure.

While the risk may be somewhat mitigated by the background checks conducted by the Privy Council Office, it is CIHR that has the responsibility to ensure those provided with sensitive information have met the necessary clearance requirements.

5a) The required clearance level for Governing Council member should be analyzed, assessed against the current checks that are completed through the Governor-in-Council process, and the requirements documented.

5b) Ensure Governing Council members are cleared to the required level prior to gaining access to sensitive materials. Assign ownership to the appropriate group for ensuring members complete and return required documentation.

5a and 5b) Responsibilities
Departmental Security Officer

Action:
Agreed

CIHR Security is currently consulting with staff of the Governance Secretariat to provide guidance and direction on the process and the importance of having members screened prior to the beginning of their mandate.

Security screening forms should become part of the selection process from the beginning.

Expected Completion
March 2017

6. The Departmental Security Officer does not report functionally to the President or Executive Management Committee. (Criterion #2, #5, #14 )

The Policy on Government SecurityFootnote 9 requires the Departmental Security Officer to be functionally responsible to the Deputy Head (the President) or the departmental executive committee (Executive Management Committee). Such a relationship facilitates the Departmental Security Officer’s ability to carry out their duty to recommend appropriate remedial action to the deputy head or senior management committee (as appropriate) in order to address any identified deficiencies in the Agency security program.Footnote 10

The CIHR Departmental Security Officer is also the Chief Information Officer and Director General of Information Technology Management and reports to the Vice-President, Resource Planning and Management. The Departmental Security Officer does have regular status updates with the President providing an opportunity to discuss security matters directly with the Deputy Head; however this reporting relationship is not formalized.

Past Departmental Security Officers were formally appointed into and delegated the authority of the role through a letter from the President; however, this was not completed for the current Departmental Security Officer. Formal delegation of authority ensures that accountabilities and responsibilities are clear.

The Departmental Security Plan is developed by the Departmental Security Officer and identifies the security objectives for the Agency over a three-year period. Both the previous and current Departmental Security Plans included the short and medium-term actions required to achieve these security objectives.

Monitoring and oversight of progress against the plan enables senior management to assess progress towards the security objectives and the mitigation of identified risks. However, regular updates on progress against the recommendations in the previous Departmental Security Plans were not provided to EMC, and while the current plan includes performance measures and recommendations on reporting, the frequency and report recipients are not detailed.

Regular updates to EMC and the President on progress of the implementation of the Department Security Plan will provide visibility for security at the Senior Management level and support the oversight and monitoring of the security program.

Risk and Impact
Without formal delegation of authority and establishment of clear reporting lines between the Departmental Security Officer and Senior Management, security matters may not receive the necessary oversight or be taken into consideration in business decisions. Well-defined accountabilities, responsibilities and lines of communication are necessary for an effective response in the event of a security event.

6a) Formally appoint the Departmental Security Officer with a functional reporting line to the President or the Executive Management Committee.

6b) Implement regular, periodic reporting to the Executive Management Committee on progress against the Departmental Security Plan.

6a) Responsibility
Departmental Security Officer

Action:
Agreed
A letter of appointment as DSO by the President of CIHR is under development and will be sent to the President for signature.

Expected completion:
March 31, 2017

6b) Responsibility
Departmental Security Officer

Agreed
Regular updates to EMC and the President on progress of the implementation of the Department Security Plan and other relevant updates will be  provided once a year and when new risks are identified

Expected completion:
September 2017

7. There is no overall process for security incidents to ensure proper reporting and capture of data for trend analysis. (Criteria #18)

The Operational Security Standard on Physical SecurityFootnote 11 requires departments to establish measures to respond to physical security incidents that ensure they are reported to appropriate security officials, and that immediate and long-term corrective action is taken in a timely fashion. While the immediate response to an incident is of paramount importance to ensure the protection of employees and assets, incident analysis, lessons learned and corrective actions are also part of effective ongoing security and risk management.

CIHR has defined procedures for handling security incidents that are specific to the type of incident as follows:

  • The Procedures for Threatening Incidents, Harassing and Nonsensical Telephone Calls or Correspondence outline the steps for employees to follow if they experience threatening incidents, phone calls or correspondence.
  • The Prevention of Violence in the Workplace Policy which includes details on reporting and responding to these types of incident.
  • The intranet page Travelling with a CIHR mobile device requires employees to report any missing, lost or stolen electronic devices to the IT Help Desk.

These procedures are focused on initial reporting of incidents, and in some cases, the initial response approach. Notifying CIHR Security is part of all procedures; however the steps subsequently taken by Security and other stakeholders are not fully documented.

A documented framework or process that allows for security incidents to be triaged and the appropriate course of action taken through to final closure would ensure all stakeholders are involved as required. A standardized approach to the collection of information about security incidents also allows for analysis of trends to identify risk areas as well as possible gaps in security awareness and training of employees.

Risk and Impact
Without a defined process for the full lifecycle of managing a security incident, internal and external reporting may not be completed as required. Lack of history and analysis on all security incidents may result in risks not being assessed or missed opportunities to improve security awareness.

7a)  Establish and document a process to classify security incidents to ensure that:

  • reporting to internal and external stakeholders is performed as required;
  • analysis is performed and corrective actions taken; and
  • incidents are tracked to allow for trend analysis and input to risk assessments.

7a) Responsibility
Departmental Security Officer

Action
Agree
CIHR Security has a suite of processes and procedures in response to several types of incidents and we will develop a more formal process.

It must be stated that our level of incidents is very low.

Expected completion:
October 2017

During the course of our audit, some minor opportunities for improvement were identified that could strengthen systems of internal control, streamline operations and/or enhance processes related to physical security. We have documented these observations in a management letter.

4. Appendix

4.1. Audit Criteria

The audit uses the following definitions to make its assessment of the internal control framework.

Conclusion on Audit Criteria Definition of Opinion
Well controlled Well managed, no material weaknesses noted or only minor improvements are needed.
Moderate issues Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
Significant improvements required Control weaknesses either individually or cumulatively represent the possibility of serious exposure.

4.2. Overall conclusion

The audit has concluded that physical security has moderate issues. Control weaknesses exist, but exposure is limited because the likelihood or the impact of the risk is not high.

Criteria Reference to Observations Conclusion
Line of Inquiry 1 – Governance ( Accountabilities, Roles & Responsibilities)
1. The President has established a security program for the coordination and management of departmental security activities. No exceptions noted Well controlled
2. The security program has a governance structure with clear accountabilities, including the appointment of a Departmental Security Officer functionally responsible to the deputy head or the executive committee (EMC).  Audit report observation #6 Moderate Issues
3. The President has not delegated his authority to deny, revoke or suspend security clearances. No exceptions noted Well controlled
4. The security program has defined objectives aligned with departmental and government-wide policies, priorities and plans. No exceptions noted Well controlled
5. The security program is monitored, assessed and reported on to measure management efforts, resources and success toward achieving its expected results, including achieving and maintaining an acceptable level of residual risk. Audit report observation #6 Moderate Issues
6. Accountabilities, delegations, reporting relationships and roles & responsibilities of Agency employees with physical security responsibilities are defined, documented and communicated. Management letter observation #1 Well controlled
7. A Business Continuity Program has been established with a supporting governance structure including establishing accountabilities for Senior Management and appointment of a BCP coordinator. Audit report observation #1 Moderate Issues
Line of Inquiry 2 - Risk Management
8. There is a documented process for the systematic identification, assessment and management of security threats, risks and vulnerabilities to physical assets. The process includes ongoing monitoring of these risks and adaptation to changes within the Agency and in the threat environment. Audit report observation #3 Moderate Issues
9. The Departmental Security Officer (DSO) has developed and implemented a Departmental Security Plan (DSP) and the plan is updated periodically. No exceptions noted Well controlled
10. The DSP provides an integrated view of the Agency’s security requirements, outlining strategies, objectives priority and timelines for improving the Agency’s security posture. Security posture refers to the combination of policies, procedures and controls that comprise the Agency’s overall approach to security. No exceptions noted Well controlled
11. The DSP identifies security threats, risk and vulnerabilities to determine an appropriate set of control objectives No exceptions noted Well controlled
12. The DSP identifies and establishes minimum and additional controls when necessary to meet control objectives and achieve an acceptable level of residual risk No exceptions noted Well controlled
13. Residual risks defined in the DSP are formally accepted by the appropriate level of management Audit report observation #3 Moderate Issues
14. The DSO has implemented a quality assurance program to verify that security controls most efficiently and effectively meet departmental security requirements Audit report observation #6 Moderate Issues
15. A business impact analysis has been conducted to assess the impacts of disruptions on the department and to identify and prioritize critical services and associated assets. Audit report observation #1 Moderate Issues
16. A business continuity plan has been developed in response to the results of the business impact analysis and has been approved by senior management. Audit report observation #1 Moderate Issues
17. Business Continuity Program readiness is established through regular testing, review and revision of the plan and training of staff. Audit report observation #1 Moderate Issues
Line of Inquiry 3 - Physical and Personnel Security Controls
18. A documented process exists to handle security incidents, including identification of when there is a requirement to report to central agencies. Audit report observation #7 Moderate Issues
19. Security requirements are integrated into business planning, programs, services and other management activities. No exceptions noted Well controlled
20. Security requirements are taken into consideration in contracting. No exceptions noted Well controlled
21. Managers and employees are aware of their roles and responsibilities with respect to physical security and the protection of assets. Audit report observation #2 Moderate Issues
22. The Agency has established guidance for the classification and designation of information that assigns the proper level in accordance with established criteria for the GC. The guidance is reviewed and updated periodically. Audit report observation #4 Moderate Issues
23. The DSO or delegate has established and documented the security screening requirements for the Agency and these requirements are reviewed periodically or when significant changes occur. No exceptions noted Well controlled
24. The DSO or delegate has established and documented security screening procedures for the Agency that are coordinated with Human Resource procedures and address the full lifecycle from granting through maintenance and revocation if required.   The procedures are reviewed and updated periodically. Audit report observation #5
Management letter observation #2
Moderate Issues
25. A security file is maintained for individuals who undergo screenings in accordance with the Treasury Board defined Standard Personal Information Bank (PIB). No exceptions noted Well controlled
26. Managers and employees are aware of their roles and responsibilities with respect to personnel security screening. No exceptions noted Well controlled
27. Physical access to protected and classified assets is based on hierarchy of zones. No exceptions noted Well controlled
28. Access to restricted-access areas is controlled using safeguards that grant access only to authorized personnel, including: identification cards, access badges, electronic access control, closed-circuit video, security control centre, secure rooms & security guards. Management letter observation #3 Well controlled
29. Facility management activities including leases, cleaning & maintenance, signage, locking hardware, key control and representation on the facility security committee are carried out in accordance with the Operational Security Standard on Physical Security Management letter observation #4 Well controlled
30. Protected and classified assets are stored in approved containers and restricted-access areas. Audit report observation #4 Moderate Issues
31. An inventory system has been implemented to track assets of value throughout their lifecycle and is maintained and verified on a regular basis. No exceptions noted Well controlled
32. Authorized physical access to protected and classified assets is maintained during transportation and when working offsite. No exceptions noted Well controlled
33. Authorized access to protected and classified assets is maintained up to and including the disposal process and the disposal process is in accordance with the Operational Security Standard on Physical Security. Management letter observations #5 & #6 Well controlled
Date modified: