Audit of Physical Security

September 16, 2010

Audit Key Steps

Opening conference date (launch memo)
May 2009
Audit plan sent to management date
November 2009
Closing conference date (exit debrief)
July 2010
Audit report sent to management date
August 2010
Management response received date
September 2010
Penultimate draft report approved by CAE date
September 2010
Audit committee recommended date
October 2010
Deputy Minister approval date
March 2011

List of Abbreviations:

ACEMD
Assets, Contracting and Environmental Management Directorate
ALM
Asset Lifecycle management
CCIW
Canada Centre for Inland Waters
CMC
Canadian Meteorological Centre
DDSM
Directives and Departmental Security Management
DSD
Departmental Security Division
DSO
Departmental Security Officer
EC
Environment Canada
GSP
Government Security Policy
ID
Identification Card
IM & IT
Information management and information technology
MAF
Management Accountability Framework
NCR
National Capital Region
OCG
Office of the Comptroller General
OSH
Occupational Safety and Health
PGS
Policy on Government Security
RCMP
Royal Canadian Mounted Police
RSO
Regional Security Officer
SOS
Struck off strength
TB
Treasury Board of Canada
TBS
Treasury Board Secretariat
TRA
Threat and Risk Assessment

Prepared by the Audit and Evaluation Team

Acknowledgments

The audit team comprised of Ariane Laurence-Rouleau and Stella Line Cousineau, under the direction of Jean Leclerc, would like to thank those individuals who contributed to this project and, particularly, employees who provided insights and comments as part of this audit.

Table of Contents

  1. Purpose
  2. Background
  3. Objectives and Scope
  4. Methodology
  5. Statement of Assurance
  6. Audit Opinion
  7. Recommendations
  8. Management Response

Annex 1 Audit Criteria
Annex 2 List of Background Information and Supporting Documentation
Annex 3 Management Action Plan

This is an abbreviated version of the audit report as the release of the information contained in the full version of the report may represent a potential threat and risk to the security of Environment Canada.

1. Purpose

The Audit of the Physical Security was identified in the 2009–2012 Risk-Based Audit and Evaluation Plan, which was approved by the Deputy Minister on July 28, 2009.

2. Background

The Policy on Government Security defines Government security as “the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence.”

Back in February 2002, the Treasury Board of Canada (TBC) issued a revitalized Government Security Policy (GSP) in response to the increased threat implied by the events of September 11th, 2001. This policy was supported by a number of directives and standards providing guidance on its application. As required by this policy, Environment Canada (EC) appointed a Departmental Security Officer (DSO) and revisited the governance structure surrounding security.  The GSP was replaced in July 2009 by a new Policy on Government Security (PGS). At the same time a Directive on Identity Management and a Directive on Departmental Security Management were also issued. While the policy took effect in July 2009, the departments have until July 2012 to comply with the sections related to the development and implementation of a Departmental Security Plan.  Some tools to support the development of the key requirements of these new documents have already been issued. This is the case of the Treasury Board Guideline on Developing a Departmental Security Plan, issued in June 2010 and a completely restructured MAF Line of Evidence 19, Security. Other tools, such as a Government of Canada Security Performance Measurement Framework, have only begun development and are not expected to be issued in this fiscal year. The DSO is supported by a staff of 25 including security support in the regions. 

EC owns over 788M$ in tangible capital assets, and has a workforce of approximately 6800 people with 60% of the workforce located in regions. In addition, the Department holds sensitive information and critical service infrastructures, located in large cities as well as in remote locations.

This information, combined with the fact that the last audit of security was completed in 2000, brought Audit to consider this area as being high risk and thus, included in its risk-based audit plan.

3. Objectives and Scope

The main objective of the audit is to assess the adequacy and effectiveness of EC’s security measures and management controls, through four specific objectives focusing on high-risk areas:

  1. To assess the adequacy of the physical security threat identification and risk management process, with a focus on activities performed at the facility level.

  2. To determine whether roles and responsibilities of all parties involved in departmental physical security are clearly defined, performed by the appropriate party, and cover the span of security activity, as defined by the TB Policy on Government Security;

  3. To determine whether physical access to facilities, classified information and sensitive assets is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access; and

  4. To determine whether employees are aware of and comply with their roles and responsibilities with regard to physical security.

The scope of the audit included all facilities used in EC operations, regardless of the ownership, along with information and assets they contained. It also included all security practitioners, along with employees and managers having general security responsibilities other than Occupational Safety and Health (OSH), as this component was already covered in the Audit of Occupational Safety and Health (2009-2010).

Elements of the management control framework examined included, but was not limited to, policies, processes and procedures, organizational structure, roles and responsibilities, job descriptions, incident reporting system, monitoring, and threat and risk assessments.

At the departmental level, the audit addressed the following Management Accountability Framework (MAF) areas of management:

  • Stewardship (Assets are protected)
  • Risk Management (Management has a documented approach with respect to risk management)
  • People (The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities)

The audit did not include:

  • Classification of information, as this will be considered by the Audit of the Governance of Information Management scheduled for 2010-2011;
  • Protection of EC information shared with other governments and organizations, as this will also be considered by the Audit of the Governance of Information Management schedule for 2010-2011;
  • RCMP’s role in the individual security screening, including the portion dealt with by the Canadian Security Intelligence Service, as the RCMP has its own internal audit organization;
  • Information technology security, as it was recently the subject of the Audit of Information Technology Security and the MAF review. An action plan is being implemented to address the identified issues;
  • Security in contracting, as this was covered in the Audit of the Competitive Procurement Process; and
  • Emergency and business continuity planning, as an Audit of Business Continuity was originally planned for 2010-2011. This audit has since been removed from the audit plan to allow implementation of the Business Continuity Plan.

4. Methodology

The audit was conducted in accordance with the Treasury Board Policy on Internal Audit. The planning phase consisted of interviews and consultation with the auditee, review of information, documents and reports and the development of an audit program and associated tools. Detailed audit criteria are provided in Annex 1.

The examination phase included the following approach:

  • Interviews with security practitioners, program managers and employees;
  • Observations of physical safeguards in different facilities; and
  • Documentation examination and comparative analysis against best practices and guidance provided by lead security agencies.

The sample included fourteen (14) facilities out of 98 identified as working places where at least one employee worked from on a permanent basis. The sample was made on a judgemental basis; therefore, results cannot be statistically extrapolated to the population. Selection criteria were prioritized and pro-rated based on the following assumptions:

  • Protection of employees is more important than protection of information and tangible assets;
  • Protection of critical services and critical support functions information and tangible assets is more important than protection of other information and tangible assets;
  • Protection of information and sensitive assets is more important than protection of other tangible assets (sensitivity over materiality); and
  • Facilities shared with other organizations are more at risk than facilities for which EC is the only tenant.

These assumptions were discussed and agreed upon by the Director, Departmental Security Division (DSD) prior to the commencement of the examination phase.

Limitations

Although visited facilities were considered high-risk, Internal Audit was unable to reconcile the lists of facilities provided by the DSD with another source of information, and therefore, could not assess to which extent sampling was based on a complete and accurate list of facilities. In addition, Internal Audit concluded that data maintained in MERLIN could not effectively be used to track assets to their actual locations, and therefore, could not be used as a starting point for testing. Consequently, the conclusion on physical security of tangible assets is limited to observable assets in visited facilities.  One of the key objectives for the current Assets Life Cycle Management (ALM) project being led by Assets, Contracting and Environmental Management Directorate (ACEMD), is to complete an assets count and valuation (capital and non-capital) and incorporate this information into the new extension to MERLIN for life cycle management of assets.

5. Statement of Assurance

This audit has been conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada. 

In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report.  The conclusions are based on a comparison of the situations as they existed between November 2009 and April 2010, against the audit criteria.

6. Audit Opinion

In our opinion, management controls and security measures were not sufficient to ensure rigorous and documented security risk management pertaining to physical security. In fact, a number of deficiencies were noted in the following areas:  threat and risk management, roles and responsibilities, awareness, policies and procedures, and incident management.

7. Recommendations

The Assistant Deputy Minister, Finance and Corporate Branch,in collaboration with the Chief Information Officer, should:

1.Continue the implementation of an integrated security threat and risk management methodology.

The Assistant Deputy Minister, Finance and Corporate Branch should:

2.Clearly define, document and communicate reporting and functional relationships with other administrative functions such as Information Management and Information Technology Security, and Accommodations.

The Assistant Deputy Minister, Finance and Corporate Branch,in collaboration with the Chief Information Officer, should:

3.Continue to develop and implement a security awareness program.

The Assistant Deputy Minister, Finance and Corporate Branch should:

4.Implement a formal approach to security policy design and review including :

  • A review of the current tools and references posted on the intranet.
  • Continue the development and implementation of departmental direction, standards, guidance and procedures on the control of access.

5.Strengthen the incident management process.

8. Management Response

Management agrees with all recommendations, and a detailed action plan to address the audit recommendations has been developed. See Annex 3.

Annex 1 Audit Criteria

Annex 1 - Audit Criteria
Audit CriteriaSource
Objective A: To determine whether physical access to facilities, classified information and sensitive assets is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access.
A.1Physical security zones are clearly organized into a discernable hierarchy, and authorization for access is granted accordingly..Operational Security Standard on Physical Security
A.2Control access to restricted-access areas uses safeguards that will grant access only to authorized personnel.Operational Security Standard on Physical Security
A.3Classified information and sensitive assets are stored in approved containers and restricted-access areas.Operational Security Standard on Physical Security
A.4There is appropriate monitoring of the implementation of security activities and remedial action is identified and communicated to address any deficiencies.Directive on Departmental Security Management
Objective B : To determine whether roles and responsibilities of all parties involved in departmental security are clearly defined, performed by the appropriate body, and the cover span of security activity, as defined by the TBS Policy on Government Security.
B.1Roles & responsibilities related to building security are clearly defined and communicated between tenant and custodian.Operational Security Standard on Physical Security
B.2Authority, responsibility and accountability are clear and communicated.TBS--CMC
AC-1
B.3A clear and effective organizational structure is established and documented.TBS--CMC
AC-3
B.4The security program include the following functions: general administration (departmental procedures, training and awareness, identification of assets, security risk management, sharing of information and assets), access limitations, security screening, physical security, protection of employees, information technology security, security in emergency and increased threat situations, business continuity planning, security in contracting and security incident investigations.Policy on Government Security (2002) -- requirements
B.5Security Practioners are provided with the necessary training, tools, resources and information to support the discharge of their responsibilities.TBS--CMC
PPL-4
Objective C : To determine whether employees are aware of and comply with their roles & responsibilities with regard to security.
C.1Employees are aware of and comply with information and asset securityDirective on Departmental Security Management
C.2Managers are aware of and comply with their R&R with regards to security, especially in the areas of incident reporting and security screening.Directive on Departmental Security Management
C.3A security awareness program is implemented to ensure that individuals understand and comply with their security responbilities and do not inadvertently compromise security.Directive on Departmental Security Management
Objective D : To assess the adequacy of the threat identification and risk management process, with a focus on activities performed at the facility level.
D.1Existing facilities are reviewed as part of the TRA activity to determine whether remedial measures are needed.Operational Security Standard on Physical Security
D.2Security specifications based on appropriate TRA activity are included in all plans, request for proposals and tender documentation for construction or modification projects.Operational Security Standard on Physical Security
D.3Les questions d'ordre sécuritaire sont entièrement intégrées dans le processus de planification, de sélection, de conception, de modification, de construction, de mise en œuvre, d'exploitation et d'entretien des installations et de l'équipement.Directive on Departmental Security Management

 

Annex 2 List of Background Information and Supporting Documentation

Treasury Board Policies, Directives and Standards:

  • Policy on Government Security
  • Government Security Policy (Archived 2009-07-06)
  • Directive on Departmental Security Management
  • Directive on Losses of Money or Property
  • Operational Security Standard on Physical Security
  • Personnel Security Standard
  • Security Organization and Administration Standard

Royal Canadian Mounted Police – Technical Security Branch Publications:

  • G1-001 – Security Equipment Guide
  • G1-005 – Preparation of Physical Security Briefs
  • G1-006 – Identification Cards / Access Badges
  • G1-009 - Transport and Transmittal of Protected and Classified Information
  • G1-024 – Controls of Access
  • G1-025 – Protection, Detection and Response
  • G1-026 – Application of Physical Security Zones
  • Harmonized TRA Methodology

Departmental References:

  • Department Security Manual on Physical Security
  • Foreign Visitors Directive – Personnel Security
  • Interim Reliability Status Directive – Personnel Security
  • Physical Security Directive (May 2004)
  • Policy on Write-Off of Materiel
  • Preamble Note to Managers (Security Briefing)
  • Quick Reference Guide (Protected/Classified Information)
  • Security Sweeps Directive

Annex 3 Management Action Plan

Annex 3 - Management Action Plan
#Summary of RecommendationsManagement Actions/ActivitiesLeadDue Date
1The Assistant Deputy Minister, Finance and Corporate Branch, in collaboration with the Chief Information Officer, should continue the implementation of an integrated security threat and risk management methodology.Agree. The generic requirement for a departmental TRA process has been long recognized and is now an explicit requirement under the new Policy on Government Security. Such a process will be incorporated in the Departmental Security Plan, the development of which is required by TBS before July 2012.

The department is already delivering on this requirement, using a two-track approach. Track 1 activity includes the development of a strategic level departmental security Threat Risk Assessments (TRA). Phase 1 of this TRA, completed in October 2009-February 2010, was based on Assistant Deputy Minister and Director General level interviews and Phase 2 shall be completed in October-December 2010 for senior management review in early 2011.

Track 2 activities include continued efforts to complete individual Security TRAs at the site or zone levels: 25 building or zone TRAs were completed in FY 09/10 alone. The development of a comprehensive multi-year plan outlining forecasted development or review of TRAs for every building in the department is underway. At time of writing, this effort is 50 % complete and should be completed by December 2010.
DSOJuly 2012
2The Assistant Deputy Minister, Finance and Corporate Branch should clearly define, document and communicate reporting and functional relationships with other administrative functions such as Information Management and Information Technology Security, and Accommodations.
Agree. Broad functional relationships between security practitioners and direct support administrative units shall be defined in the departmental security plan, the development of which is required by TBS before July 2012. DSOJuly 2012
3The Assistant Deputy Minister, Finance and Corporate Branch should continue to develop and implement a security awareness program. Agree. While it has long been recognized that the current security training and awareness program requires improvement, a fact which was also highlighted in MAF assessments, the departmental security training and awareness program is active and, in some areas, a leader in Government.  In FY 09/10 there were security awareness sessions reaching 701 employees and nine departmental-level security awareness bulletins were issued. The department is also an active member of the TBS-led Government of Canada Inter-Departmental Security Training and Awareness Committee and is the author of products considered to be a government-wide best practice. The Canada School of Public Service, for example, provides EC security products as course material on their manager and executive leadership courses.

Mandatory online security training is being developed in fiscal year (FY) 11/12 for implementation in FY 12/13. In the meantime, an interim security training course for new employees is being developed, with anticipated implementation in Early 2011.

Routine inspections and follow-up action at the site level as expected in TBS baseline security requirements shall require staffing of the front line security personnel positions.
DSO

Mar 2011

Resource dependant

4

The Assistant Deputy Minister, Finance and Corporate Branch should implement a formal approach to security policy design and review.  including :

  • A review of the current tools and references posted on the intranet
  • Continue the development and implementation of departmental direction, standards, guidance and procedures on the control of access.
Agree. Whilst the department supports the recommendation and has indeed actively addressed the access control issue - and shall continue to do so in the near and mid terms - this is considered a low risk area.

Departmental risk management direction regarding control of access was issued on 25 May 2010. This shall be followed, before March 2011, by a comprehensive directive outlining, inter alia: monitoring of the management of ID/Access Cards.

Subsidiary technical standards options analysis (types of card, readers and database) was completed on 2 July 2010, in order to inform the adoption of a common standard to guide future equipment acquisitions. Implementation across the department shall be phased in, where appropriate, on an attrition basis, as older systems are retired at the end of their useful life.

Systematic monitoring and cross-checking of ID/Access card databases with security clearance records dovetails with the Employee separation process currently under review in response to a separate audit.  However, implementation of this aspect will require the staffing of additional security officer positions
DSOOct 2011

Dec 2010

Resource dependant
5The Assistant Deputy Minister, Finance and Corporate Branch should strengthen the incident management process.Agree. However, it should be noted that the department already has reporting mechanisms in place whereby the Deputy Minister is advised of significant security issues.

Direction regarding the nature and timeliness of incidents to report was issued in December 2009. In addition the Policy on Departmental Security will include similar guidance at the ADM and DM levels. A new departmental investigations policy, expected in FY 11/12, will establish greater clarity of investigative responsibilities, threshold criteria to initiate investigations and linkages to public accounts reporting of losses of money.

The implementation of an online security incident reporting system in November of 2010 July of 2010 will allow greater visibility on the status of ongoing incidents as well as ease of post facto analysis in support of training and awareness, TRAs and security program priority setting.
DSOMar 2012

Nov 2010

Mar 2012
Date modified: