Audit of the Security of National Emergency Strategic Stockpile Warehouse Facilities

Final report
August 2022

Prepared by the Office of Audit and Evaluation

Table of Contents

• Executive summary
• Criterion 1
• Criterion 2
• Criterion 3
• Appendix A - Scorecard

Executive summary

Introduction

Canada's National Emergency Strategic Stockpile (NESS) contains supplies that provinces and territories depend on during emergencies when their own resources are insufficient. NESS facilities allow for supplies to be deployed anywhere in the country within 24 hours of a request from a province or territory.

In early 2020, the NESS saw its service level increase to include the storage and distribution of COVID-19 pandemic-related supplies (e.g., gloves, masks, gowns, vaccine doses, ventilators). As a result, three temporary warehouse facilities were contracted. Due to the pandemic and the urgency for the acquisition of NESS warehouse space, formal physical security assessments were not conducted due to time constraints.

Given the significant dependence of these warehouse facilities during emergencies (contents and distribution thereof), it is critical to ensure their physical security and continuity at current and possible future service levels.

Engagement objective

To determine whether NESS warehouse facility oversight and controls adequately support the safeguarding of critical assets and the continuity of critical services.

Engagement scope

The scope of the audit focused on areas that support the safeguarding of critical assets and the continuity of critical services at the eight legacy warehouse facilities and three temporary warehouse facilities contracted in response to the COVID-19 pandemic. Specifically, the audit focused on physical security, security inspections, and continuity and contingency planning.The audit did not examine inventory management or inventory management system upgrades as these were examined during external audits completed in 2021. The period under scope is from fiscal year 2016-17 to 2021-22, in order to capture risk assessments within a five-year cycle.

Engagement criteria

1. Roles, responsibilities, accountabilities, and delegations are aligned with the Treasury Board of Canada Secretariat’s Policy on Government Security and Directive on Security Management.
2. Risks are appropriately identified, assessed, responded to, and monitored.
3. Mitigation strategies are established, documented, communicated, and monitored by adequately trained staff.

Statement of conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing and is supported by the results of the Office of Audit and Evaluation's Quality Assurance and Improvement Program.

Overall conclusion

The Corporate Services Branch has established a physical security framework, including methodology, protocols and controls that support the safeguarding of critical assets in NESS warehouse facilities. However, we found some control operating deficiencies which pose moderate risk in relation to the establishment and documentation of physical security design for facilities, the implementation of mitigation strategies, and in the continuity of critical services.

Please note that NESS warehouse facilities were referenced throughout this report, using a coded naming convention, in order to protect the sensitive nature of the facilities.

Recommendations

1. The Vice President, Emergency Management Branch, should assign roles and responsibilities for creating, updating, exercising, and activating business continuity plans (BCP) for NESS warehouse facilities and establish a corresponding BCP process under the guidance of the Assistant Deputy Minister, Corporate Services Branch.
2. The Assistant Deputy Minister, Corporate Services Branch, should ensure physical security risk assessments are formally approved, and the Vice President, Emergency Management Branch, should ensure recommendations and corresponding risks are formally accepted, and that a corresponding formalized action plan is developed, when applicable.
3. The Assistant Deputy Minister, Corporate Services Branch, should ensure site selection and security design brief assessments are conducted in the establishment of new facilities, and physical security designs are documented and updated when necessary.
4. The Assistant Deputy Minister, Corporate Services Branch, should establish a plan for the routine inspection of NESS warehouse facilities in the regions, and clarify responsibility for inspecting the services and security devices that maintain the state of assets in collaboration with the Vice President, Emergency Management Branch.

Criterion 1 - Roles, responsibilities, accountabilities, and delegations are aligned with the Treasury Board of Canada Secretariat’s Policy on Government Security and Directive on Security Management

Context

CSB maintains a framework that outlines the roles and responsibilities for the guidance and monitoring of physical security at Public Health Agency of Canada and Health Canada facilities.

The physical security of NESS warehouse facilities is jointly managed by CSB and EMB. In general terms, CSB acts as the guidance and monitoring arm, while EMB acts as the risk acceptance authority (RAA) and implementation arm.

What did we expect to find?

We expected to find that roles, responsibilities, accountabilities, and delegations for the safeguarding of critical assets and the continuity of critical services at NESS warehouse facilities are clearly outlined and aligned with the TBS’s Policy on Government Security and Directive on Security Management.

Findings

Alignment with policies and directives
CSB’s physical security framework was aligned with the TBS Policy on Government Security and the Directive on Security Management, as it pertained to the management of facility physical security, which revolves around identifying security requirements, verifying that security requirements are met, monitoring continued compliance, recommending actions, providing advice, and related reporting.

Alignment with framework
Alignment with framework The roles, responsibilities, and accountabilities documented through interviews were in alignment with CSB’s physical security framework via the shared responsibility for the management of the physical security of NESS warehouse facilities. CSB is responsible for monitoring and guidance, and EMB is the risk acceptance authority (RAA) and are responsible for implementation.

Management of temporary NESS warehouse facilities
The management of the physical security of temporary NESS warehouse facilities was consistent with that of legacy NESS warehouse facilities, where various services are provided by third parties, depending on the facility.

Business continuity planning
As a key service, NESS was included in the Health Security Infrastructure Branch’s 2019 BCP. However, due to the pandemic, many of the BCP leader and coordinator roles weren’t assigned, especially in areas with a lot of changes, including EMB, where BCPs were held by the Centre for Emergency Preparedness and Response (CEPR) prior to the establishment of NESS offices and of the EMB. As such, responsibility for NESS BCPs was not assigned and, as a result, business impact analyses and business continuity plans did not exist and were not reviewed to ensure they had been updated and exercised routinely, as part of the audit’s second and third criteria.

Conclusion

The roles, responsibilities, accountabilities, and delegations for the management of the physical security of NESS warehouse facilities were aligned with the Treasury Board of Canada Secretariat’s Policy on Government Security and Directive on Security Management; however, EMB had not identified roles, responsibilities, nor accountabilities for developing, updating, exercising, and activating BCPs.

Recommendation

The Vice President, Emergency Management Branch, should assign roles and responsibilities for creating, updating, exercising, and activating business continuity plans for NESS warehouse facilities, and establish a corresponding BCP process under the guidance of the Assistant Deputy Minister, Corporate Services Branch.

Criterion 2 - Risks are appropriately identified, assessed, responded to, and monitored

Context

As per the CSB framework, physical security risk assessments are to be conducted routinely in order to identify any potential gaps in physical security controls. These assessments can be conducted on-site or remotely, as part of the cyclical review. Physical security elements are then assessed using a standardized rating scale and a recommendation for implementation is developed if the risk rating reaches a predetermined threshold.

What did we expect to find?

We expected to find that risks and threats to the safeguarding of critical assets and the continuity of critical services at NESS warehouse facilities are identified, assessed, responded to, and monitored on a routine or cyclical basis, unless a review is triggered earlier.

Findings

Templates
The identification and assessment of risks at NESS warehouse facilities was found to be appropriate through the use of a Facility Security Risk Assessment (FSRA) template when the assessment is conducted on-site, a Remote Facility Risk Assessment (RFSRA) template when the assessment is conducted remotely, and a physical security questionnaire and environmental scan (PSQES) template that supplements the risk management process.

Identified and assessed
Physical security risk assessments consistently considered and assessed the following elements, where applicable: facility type, management and services contracted out to third parties, permanent staff, access controls for contractors and staff, asset class groups, internal and external safeguards, internal and external incidents, such as neighbourhood crime statistics, as well as environmental controls. Exceptions included assessments for two facilities where quick assessments of internal and external safeguards were said to have been conducted, but were not documented, and assessments for two additional facilities in which a known incident was not identified as part of the review in each case.

Responded to
Physical security risk assessments consistently resulted in recommendations that were provided to the client when risk ratings exceeded the allowable threshold. The process for accepting and implementing recommendations stemming from physical security risk assessments was addressed in criterion 3.

Monitored
In our review of the most recent five-year cycle, physical security risk assessments were consistently conducted within the allotted timeframe (unless triggered earlier by environmental changes) for all NESS warehouse facilities, with the exception of facility N05, as it was not fully occupied at the time of the audit. We were also able to indirectly determine that the previous five-year cycle had also been respected, where applicable, given the documented date of previous assessments, with the exception of one facility, as it was not available to the assessor at the time of the most recent assessment.

Conclusion

Risks to the physical security of NESS warehouse facilities were appropriately identified through standardized consideration, assessed by employing a standardized rating scale, responded to via the development of recommendations when the risk rating exceeds a set threshold, and monitored through assessments conducted every five years, unless triggered earlier.

Recommendation

This criterion did not result in a recommendation.

Criterion 3 - Mitigation strategies are established, documented, communicated, and monitored by adequately trained staff

Context

In the establishment of new facilities, site selection and security design briefs are conducted in order to assess proposed sites and develop corresponding security designs for those sites. Facilities are then monitored through a combination of facility risk assessments, accompanied by recommendations for implementation when necessary, inspections, and the monitoring and reporting of incidents.

What did we expect to find?

We expected to find that assessments for the establishment of facilities were conducted and documentation of physical security designs exist and are maintained. We also expected to find that facilities are monitored through a combination of detection controls, incident reporting and response protocols, and routine inspections.

Findings

Communicated and established
Recommendations were adequately documented in corresponding risk assessments and tracked using a spreadsheet with relevant details, including the risk acceptance authority (RAA), observation, risk rating, recommendation, and status. However, we found that there was no formal acceptance of recommendations or risks stemming from risk assessments and corresponding formalized action plans to implement recommendations, despite having a place for formal sign-off by the DCSO and Director of NESS at the end of risk assessments.

Documented
Responsibility for eight of the NESS warehouse facilities was transferred to CSB following their establishment; therefore, site selection and security design briefs did not exist for those facilities. The remaining three facilities were contracted in response to the COVID-19 pandemic; however, due to the urgency of needing to establish these facilities, quick site reviews were conducted instead of site selection and security design briefs. Moreover, despite documented physical security designs existing for the six NESS warehouse facilities in the NCR, they did not exist for the five facilities in the regions.

Monitored
Depending on the site, NESS warehouse facilities were monitored through a combination of security systems, camera sweeps, patrols, 24/7 security guards, incident reporting and response protocols, and security inspections that are conducted on an annual basis by a third party physical security consultant. However, inspections were not being conducted for facilities in the regions. Moreover, the responsibility for inspecting devices that maintain the state of assets seemed to be unclear, given that neither CSB nor EMB were conducting these inspections, though these devices only existed in the NCR.

Training
CSB ensured that staff have the skills, knowledge, and expertise to guide and monitor the physical security of NESS warehouse facilities through a combination of their recruitment strategy, informal training, as well as training by and membership in OGDs that provide criminal intelligence services.

Conclusion

The process for establishing and monitoring physical security mitigation strategies was supported by trained staff, a framework, methodologies, and protocols. However, assessments and related documentation for the establishment of new facilities were absent. Recommendations stemming from facility risk assessments were adequately documented; however, sign-off and communications related to the acceptance and implementation of corresponding controls happened informally. In the monitoring of facilities, incident reporting protocols are adequately followed and inspections are conducted annually by third parties in the NCR, but this has not occurred at any of the facilities in the regions.

Recommendations

1. The Assistant Deputy Minister, Corporate Services Branch, should ensure physical security risk assessments are formally approved and the Vice President, Emergency Management Branch, should ensure recommendations and corresponding risks are formally accepted, and that a corresponding formalized action plan is developed, where applicable.
2. The Assistant Deputy Minister, Corporate Services Branch, should ensure site selection and security design brief assessments are conducted in the establishment of new facilities and physical security designs are documented and updated where necessary.
3. The Assistant Deputy Minister, Corporate Services Branch, should establish a plan for the routine inspection of NESS warehouse facilities in the regions and, in collaboration with the Vice President, Emergency Management Branch, clarify responsibility for inspecting the services and security devices that maintain the state of assets.

Appendix A - Scorecard

Criterion	Risk Rating	Risk Remaining without Implementing Recommendation	Rec. #
Roles, responsibilities, accountabilities, and delegations are aligned with the Treasury Board of Canada Secretariat's Policy on Government Security and Directive on Security Management.	3	Without an assigned responsibility for developing, updating, exercising, and activating NESS BCPs, there is a risk that the NESS may not be able to provide the critical services that the Canadian population may depend on in case of emergencies.	1
Risks are appropriately identified, assessed, responded to, and monitored.	1	n/a	n/a
Mitigation strategies are established, documented, communicated, and monitored by adequately trained staff.	3	Without formally accepting risks or recommendations and developing an implementation plan, there is a risk that accountability and responsibility for the implementation of corresponding recommendations may be unclear, resulting in recommendations not being implemented at all, or in a timely manner that leaves unacceptable gaps in controls that could compromise the physical security of NESS warehouse facilities. Due to the pandemic and the urgency for the acquisition of NESS warehouse space, formal physical security assessments were not conducted due to time constraints. Without full site selection and security design briefs being conducted prior to the establishment of facilities, there is a risk that aspects of the comprehensive review may be overlooked, resulting in gaps that could compromise the physical security of NESS warehouse facilities. Without the existence and maintenance of documented physical security controls for regional warehouses, there is a risk that management may not be able to track what controls exist at each facility, resulting in those controls not being maintained. Without routine inspections of physical security controls in the regions, there is a risk that they may not be functioning as intended, resulting in gaps that could compromise the physical security of NESS warehouse facilities and assets.	2,3,4
Risk Ratings measure the residual risk without implementing the recommendation: 1 - Minimal Risk 2 - Minor Risk 3 - Moderate Risk 4 - Significant Risk 5 -Major Risk