Physical Security Audit - Final Report

Corporate Audit and Evaluation Branch
June 2008

Table of contents

• Executive Summary
• Introduction
• Objective and Scope of Audit
• Findings, Recommendations and Action Plans
  • 1.0 Physical Security Operations
  • 2.0 Application of Policies and Procedures
    • 2.1 Threat and Risk Assessment
    • 2.2 Awareness
    • 2.3 Training
    • 2.4 Physical Security Incidents
  • 3.0 Management of the Security Program
    • 3.1 Roles and Responsibilities
    • 3.2 Organizational Structure
  • 3.3 Objectives and Work Plans
    • 3.4 Management Follow-Up and Controls
• Conclusion

Executive Summary

Background: Federal departments and agencies are required to conduct internal audits of their security programs and inform the Treasury Board Secretariat of the results. A security program with safeguard mechanisms to prevent and delay unauthorized access to assets, detect attempted and actual unauthorized access and activate appropriate responses is essential to the security of facilities and continued public trust in the Canada Revenue Agency (CRA) and its tax system.

In 2005, the Security Directorate began restructuring in order to implement a common functional organizational structure throughout the CRA Regions. The Finance and Administration Branch (FAB) also developed various measures to support the CRA in meeting strategic directions. The FAB committed to completing an analysis of security policies and reviewing security standards pertaining to CRA facilities.

The National Facilities Security Review (NFSR), a review of physical security safeguards at CRA facilities, was one of the measures implemented in 2004‑2005 and extended again during the two following years. This initiative resulted in the administration of a self‑assessment questionnaire for each CRA facility. Compliance and Monitoring Inspections (CMI) of the selected facilities were also part of the measures implemented during that period.

Objective and scope: The objective of this audit was to determine whether the key activities linked to the security of the Agency's facilities were conducted in accordance with the applicable Agency policies and directives.

Emphasis was placed on the security fit-up of and controlled access to facilities, including internal and external CRA perimeters. The audit did not include the protection of employees or protected and classified information.

The examination phase of the audit was conducted from April 2007 to March 2008. Analyses, tests, inspections and interviews were conducted at seven sites in three regions. Meetings were also held with regional stakeholders from those regions and the Security, Risk Management and Internal Affairs Directorate (SRMIAD).

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: The CRA is equipped with physical security policies, guidelines, procedures and technical guides. If the standards contained in these were respected and applied consistently, they would contribute to improve the level of protection at CRA facilities. However, the control, detection, monitoring and surveillance measures set forth were not always appropriately applied at facilities.

Problems were noted in the implementation of the NFSR and CMI initiatives, and follow-up of corrective measures. Apart from its national priorities and initiatives, the Security Directorate did not demonstrate that it had any work plans or objectives covering all physical security activities. Overall, minimal time was spent on controls and on management follow‑up of elements of the National Physical Security Program.

In general, security staff in the regions had received basic security training. However, periodic refresher courses or professional development to increase knowledge of standards and technical tools were not offered. In addition, when experienced security staff left, knowledge was not always transferred thus affecting certain aspects of the program. The security staff that have some responsibility in the threat and risk assessment (TRA) process were not all familiar with TRA procedures and did not have the necessary tools to complete them. Despite the existence of an appropriate process for reporting incidents, the definition of a security incident was neither clearly nor consistently understood by many CRA stakeholders.

A program was implemented to raise employee awareness of certain elements of the Security Program, however the SRMIAD did not have the necessary information to assess the effectiveness of these efforts. Deficiencies were noted due to a lack of employee compliance with basic security control mechanisms.

The roles and responsibilities of several Physical Security Program stakeholders were not uniformly defined, known or assumed. Furthermore, discussions with Directors or Heads of Facilities revealed some ambiguity regarding their understanding of their roles, responsibilities and their accountability pertaining to security. Following the merger of the Northern and Southern Ontario regions, the internal auditors observed that the implementation of the approved organizational structure was not finalised as of fall 2007.

Action Plan: The SRMIAD is in agreement with the recommendations and has developed actions plans to address them. The SRMIAD, in cooperation with the security personnel from the Regions and the various stakeholders, has committed to correct all the deficiencies identified in the Physical Security operations during this audit. The SRMIAD will take measures to ensure that the other CRA facilities will be reassessed by the second quarter of 2008-2009.

By the end of the March 2009, the SRMIAD will include the TRA concept in its Physical Security policy and its procedures. SRMIAD will revise the list of security incident categories in order to ensure a uniform understanding by all stakeholders. Over the course of the same fiscal year, the SRMIAD will finalize its training profiles currently being developed for each position and will ensure that individual learning plans will be developed and that training will be provided.

In order to strengthen the management of the Security Program, the SRMIAD will adopt various measures during fiscal year 2008-2009 to improve the communication and understanding of roles and responsibilities of the different internal and external stakeholders. Also, each Region has prepared a human resources plan to permanently staff positions. The SRMIAD has also undertaken the task of preparing a work plan covering the entire Security Program which will consider regional and local objectives and needs including awareness activities. Lastly, during a national meeting held in May 2008, all Security stakeholders were informed of the necessity to carryout follow-ups at all levels and covering the entire Physical Security Program including national initiatives.

Introduction

The Government Security Policy (GSP) defines physical security as the use of physical safeguards to prevent and delay unauthorized access to assets, detect attempted and actual unauthorized access and activate appropriate response. The CRA is subject to the provisions of the GSP, which sets forth operational policies and standards regarding the protection of sensitive information and assets throughout the federal administration.

At the Canada Revenue Agency (CRA), the Security, Risk Management and Internal Affairs Directorate (SRMIAD) of the Finance and Administration Branch (FAB) is the body responsible for the management and compliance of the security program. Although the Director General of SRMIAD, as defined in the GSP, is the security officer and is responsible for managing the CRA's Security Program, responsibility for security at CRA is shared between several stakeholders, including Directors or Heads of Facilities.

The CRA committed itself to developing, implementing, coordinating and monitoring its own security program. The Security Volume of the Finance and Administration Manual (FAM) sets forth the relevant policies and guidelines to ensure that the CRA complies with the provisions of the GSP.

In 2005, the Security Directorate began restructuring in order to implement a common functional organizational structure throughout the CRA Regions. The FAB also developed various measures to support the CRA in meeting strategic directions such as completing an analysis of security policies and reviewing security standards pertaining to CRA facilities.

The National Facilities Security Review (NFSR), a review of physical security safeguards at CRA facilities, was one of the measures implemented in 2004‑2005 and extended again during the two following years. This initiative resulted in the administration of a self‑assessment questionnaire for each CRA facility. Compliance and Monitoring Inspections (CMI) of the selected facilities were also part of the measures implemented during that period.

Objective and Scope of Audit

The objective of this audit was to determine whether the key activities linked to the security of the Agency's facilities were conducted in accordance with the applicable Agency policies and directives.

Emphasis was placed on the security fit-up of facilities and controlled access to facilities, including inside and outside CRA perimeters. The audit did not include the protection of employees and protected and classified information.

The examination phase of the audit was conducted from April 2007 to March 2008. The analyses, tests, inspections and interviews were conducted at seven sites in three regions. Of the sites chosen, two were located in the National Capital Region, three were in the Quebec Region and two were in the Ontario Region. In addition to the sites audited, meetings were held with regional stakeholders from these regions and with SRMIAD.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Physical Security Operations

The policies, guidelines, procedures and guides contained in the Security Volume of the FAM, such as the Physical Security Standards and Design Specifications Guide, provide the information and framework needed to ensure an appropriate level of protection for the physical security and design of CRA facilities. Multiple security controls are used to ensure backup in the event that a security measure or device fails. 

Security design at CRA facilities is based on multiple control mechanisms, such as key and combination controls, security guard services and access card, intrusion detection and camera surveillance systems. These mechanisms must be designed and installed according to the principle of progressive zones in order to delay access to facilities, assets and information for which the CRA is responsible.

The tests and inspections of access control mechanisms at the selected sites were conducted in accordance with the principle of progressive zones. It should be noted that they were also conducted in a transparent manner and, in most cases, in the presence of a security representative.

Access via the exterior perimeter, interior perimeter and certain secure rooms at each selected facility was inspected including the testing of closing and locking mechanisms. The periphery of the exterior perimeter at each facility including its landscaping and lighting was also inspected. Deficiencies were identified at different levels in all the sites audited. Depending on the site, these deficiencies included one or more of the following elements: access control to several secure rooms did not meet the CRA standard, certain exterior and interior perimeter doors were not adequately secured and deadbolts and other hardware were used inappropriately or were missing. It should be noted that certain vulnerabilities were already noted during inspections conducted by the Security Directorate over the last few years and had not yet been corrected.

Existing controls and procedures for managing combinations and keys, such as grand master keys, master keys, replacement keys and emergency keys were also audited. Tests were performed to determine whether the following controls were in place to ensure the existence, keeping, and protection of control logs and inventories, the identification and copying of replacement keys and the storage of keys and combinations. Several controls related to the issuing and cancellations of access cards were also audited. Procedures for issuing new or temporary cards or replacing lost or stolen cards were analyzed, both for CRA staff and for contractors. The user‑friendliness and flexibility of the card management software used to monitor access was also audited. Tests were conducted to corroborate the lists of employees approved by operational area versus the access programmed into the security system including extended access and access during silent hours.

Weaknesses were identified in key, combinations or access card controls at six of the seven sites. These deficiencies included inventories not kept or not updated, records not kept and inappropriately protected and other inadequately safeguarded information regarding keys and combinations.

Audit tests were conducted on the electronic intrusion detection systems for the perimeter and work and storage areas. These involved determining whether the system could be activated and whether its components detected and recorded intrusions triggered during simulations. Audits of the times and conditions of manual and pre‑programmed arming of the system were conducted. Observations, primarily at three of the seven sites audited, were made that varied from defective or unarmed components to the need to reinforce specific areas at certain facilities.

Closed-circuit television (CCTV) surveillance systems were inspected, taking into consideration the frequency and quality of monitoring by security staff, the operation of components and the appropriate use of the system and the optimal location of cameras. The quality of day and night recordings was examined including the secure storage of backup copies. In order to strengthen this type of surveillance, some elements were identified such as the need to reposition certain cameras, increasing night-time lighting or improving the quality of specific equipment.

Tests and analyses were conducted to assess certain duties of security guards directly related to access control and to determine whether reference manuals, procedures and post orders were available, consulted and followed. Overall, the security guard services, where utilized, performed their expected duties.

The auditors shared all major findings warranting immediate attention with local management. Regional security and SRMIAD representatives were also informed within a reasonable timeframe. It should be noted that many of the findings would have been detected had there been systematic monitoring of the program. A recommendation to this effect is included in section 3.4 of this report.

Recommendations

The SRMIAD, in cooperation with local managers and directors or facility heads, should correct the security deficiencies observed at the audited sites as soon as possible.

The SRMIAD should also ensure that all other CRA facilities are inspected within a reasonable timeframe and that they take into account the various controls at risk, including the observations noted in this audit.

Action Plan

All the observations noted during the audit were documented by the SRMIAD and communicated to local management and to the Regional Assistant Directors of Security responsible for implementation of corrective measures. The implementation of corrective measures required to address the identified deficiencies will be completed by the end of the second quarter of the 2008-2009 fiscal year. Our action plan indicates, however, that our implementation is dependent upon the various Facilities Management stakeholders. We are currently in communication with this group. 

Based on a risk management approach and in cooperation with the Regions, the SRMIAD will develop and pilot a new improved inspection tool (which will include a sampling and testing component). All facilities will have their sites inspected over a five-year cycle starting with the 2008-2009 fiscal year.

During the national conference held in May 2008, the SRMIAD informed the Regions that all self-assessment questionnaires (representing 130 facilities) included in the autumn 2007 review will be returned to Assistant Directors of Security for examination in order to ensure accuracy of the information provided to Headquarters. Furthermore, the self-assessment questionnaire will be strengthened by incorporating a sampling and testing of elements related to Physical Security operations. These revisions will be completed for September 2008.

The Regions will subsequently present the SRMIAD with an implementation plan of measures to be taken including cost estimates so that a risk-based multi-year plan may be developed by the SRMIAD for implementation of a full spectrum of safeguards. Implementation date: March 2009.

2.0 Application of Policies and Procedures

2.1 Threat and Risk Assessment

According to the GSP, the threat and risk assessment (TRA) is a cornerstone of the security program. The TRA must be used to develop protection and control measures and to determine whether existing measures are still adequate thereby ensuring a balance between operational needs and security needs.

Based on this principle, the audit expected that physical security TRAs at the selected sites were conducted, based on relevant information, continually reviewed to reflect changes and updates, and that their recommendations were followed and applied. However, TRAs for each site visited were not available when the internal auditors requested a copy. Only one facility stood out, having conducted a number of TRAs over the years for situations specific to its operations.

The CRA has a Physical Security Standards and Design Specifications Guide, found at Appendix A of Chapter 11 of the FAM Security Volume, in which TRA procedures are set forth. Few security staff members, however, were familiar with the concept that a TRA is an ongoing process that requires knowledge of all changes that might result in adjustments required to maintain an acceptable level of risk regarding physical security. This concept of TRA is explicit in the GSP and the Royal Canadian Mounted Police (RCMP) Guide to Threat and Risk Assessment, but is not adequately described in CRA policies. Security staff confirmed that there was a lack of tools and that most were unfamiliar with existing procedures. Furthermore, the decision-making level required to approve TRAs supporting deviations from physical security standards was not adequately defined.

The Assets Protection and Security Services Division reviews and approves initial design and fit-up plans and, upon request, provides help and advice on proposals related to facilities. However, TRAs are not necessarily completed.

Recommendation

To ensure that facilities have the appropriate level of protection,  the SRMIAD should include in its employee training, the basic concepts of TRAs so that they may help identify needs and thereby enable the designated individuals to carry out these assessments where needed, ensure compliance and where applicable, have deviations approved by the competent authority.

Action Plan

By the end of the 2008-2009 fiscal year, the SRMIAD will equip itself with a Physical Security Policy which will include the TRA concept. Furthermore, procedures and guidelines will be issued for TRAs and a tool will be developed to apply them. This tool will be piloted in the Quebec Region.

In addition, the fundamentals of TRAs will be added to training profiles in relation to the required competencies of each Security position.

2.2 Awareness

According to Chapter 1 of the FAM Security Volume, an awareness program must be implemented to regularly remind all employees of their responsibilities pertaining to physical security as well as making them aware of issues and security concerns.

Numerous measures have been implemented (awareness sessions, thematic weeks, newsletters, communiqués, etc.) by the SRMIAD in order to raise employee awareness of certain elements of the security program. However, with the exception of quantitative data such as the number of sessions and participants, and feedback in the form of optional surveys from CRA employees, the SRMIAD does not have enough information to assess the effectiveness of its efforts to improve awareness of security issues. Furthermore, several aspects of physical security were neither covered in the National Awareness Program nor addressed at the regional or local level.

During the seven site visits, the auditors observed several situations in which basic security controls were not respected by employees. These included the inappropriate use of access cards and turnstiles, authorizations for access during silent hours and compliance with door closing instructions. These situations may indicate a lack of employee awareness of their security roles and responsibilities, which casts a doubt on the full effectiveness of the awareness program.

Given that awareness is an integral part of the duties assigned to security officers, an associated recommendation is included in section 3.3 of this report.

2.3 Training

As indicated in the GSP training needs must be identified to ensure that all security staff receives timely training and professional development needed to perform their duties.

The SRMIAD is currently in the process of developing a training profile for each security position. Generally, Security employees have received basic training, such as the RCMP's physical security course or by pairing up with an experienced employee. Despite this, most security stakeholders interviewed by the internal auditors had little knowledge of the security standards or equipment examined in the audit, even when those standards were taken from reference documents governing CRA security. Knowledge of how to use the electronic security systems used by the CRA was limited, and in some cases prevented security personnel from appropriately performing their work and conduct monitoring activities.

In their interactions with security staff, the internal auditors noted that the level of knowledge of security varied considerably. It was clear that security officers needed technical training. However, periodic development of general and technical knowledge was not offered to security employees.

Finally, the transfer of knowledge was not assured everywhere. At some of the sites visited, employees who had left their security positions were the only ones familiar with certain essential functions.

Recommendation

The SRMIAD should finalize the training profiles currently being developed and train its security staff in the regions.

Action Plan

The SRMIAD will finalize its training profiles currently being developed for each position during the 2008-2009 fiscal year. Furthermore, individual learning plans will be developed jointly with local management so that each Security employee meets the threshold levels of the technical competencies of his position. These learning plans will also include the training needs with respect to TRA concepts. Training will be provided over the course of the 2008-2009 fiscal year and repeated on an annual basis.

The SRMIAD will continue to use the services of the Royal Canadian Mounted Police (RCMP) to provide basic training in Physical Security to its employees. This basic training will be augmented by information sessions provided by the SRMIAD on the Physical Security Standards and Design Specifications Guide (Appendix A, Chapter 11, Security Volume, FAM).

2.4 Physical Security Incidents

According to Chapter 15 of the FAM Security Volume, security incidents must be reported and investigated quickly so that corrective measures can be taken at the appropriate level (local, regional or national), as needed, to avoid aggravating or repeating harmful events.

A process for reporting security incidents was in place at the local and regional levels and at the National Incident Reporting Centre (NIRC). A list prepared by the NIRC listed and defined the types of security incident by category. This list served as a guide for local security staff in completing the incident report (form RC 166) and indicated what information should be forwarded to the NIRC.

Despite the list of incident categories provided and the related information, the definition of a security incident was not clearly understood or uniformly interpreted by the numerous stakeholders (directors, managers and Security staff). Some offices or regions reported all security incidents to the NIRC, while others included only certain categories of incidents, such as major ones. Sometimes, security incidents were not reported to local security, but were dealt with by other sectors of Finance and Administration (F&A).

Non-uniform reporting of physical security incidents could alter statistical and adversely affect the analysis of national, regional and local trends, thus influencing the implementation of appropriate corrective measures. Information related to the scope of the audit and forwarded to the NIRC was not necessarily representative of all security incidents

The involvement of certain Directors or Directors General at local offices had a positive influence on decision making and the implementation of corrective measures following security incidents.

Recommendation

The SRMIAD should review its list of security incident categories and ensure their uniform understanding by all the stakeholders involved in the process in order to ensure the integrity of information at the National Incident Reporting Centre.

Action Plan

During the 2008-2009 fiscal year, the SRMIAD will review and update the list of security incident categories. Consequently, changes will be made to ensure its uniform understanding by all the stakeholders involved in the process in order to ensure the integrity of information at the National Incident Reporting Centre.

3.0 Management of the Security Program

3.1 Roles and Responsibilities

The roles and responsibilities of security staff and physical security stakeholders must be defined, known and assumed as set forth in Chapter 1 of the FAM Security Volume.

The definition and understanding of the roles and responsibilities of the various physical security stakeholders, both security staff at various levels and managers or collaborators such as the other Directorates and Divisions of the CRA, are essential to the proper operation of the physical security program.

However, the roles and responsibilities of several of the Physical Security Program stakeholders interviewed were not uniformly defined, known and assumed in some respects. This had an impact on various aspects of the physical security program mentioned previously in this report. As well, the decision-making level for approval of deviations from standards was not clearly defined.

Discussions with directors or facility heads from six of the seven audited sites revealed certain ambiguities in how they understood their roles, responsibilities and accountabilities for security. For instance, directors or facility heads were responsible for security of their buildings, but did not have control over security activities, staff or budgets, which were under responsibility of the FAB. In addition, they felt that there was a lack of clarity in their roles and responsibilities since they had lost influence over decisions related to physical security with the implementation of the regionalized security structure.

Recommendations

The SRMIAD should strengthen the communication and the understanding of the physical security roles and responsibilities of the various external and internal stakeholders including directors or facility heads.

The SRMIAD should also ensure the cooperation of all stakeholders in order to optimize the protection of access to CRA facilities.

Action Plan

During the 2008-2009 fiscal year, the SRMIAD will provide physical security information sessions to ensure the comprehension of the roles and responsibilities of the various external and internal stakeholders including Directors or Facility Heads. In addition, the SRMIAD will revise the “Remote Management Guide”, currently being developed by the Quebec Region, to ensure that the component pertaining to the responsibilities of Facility Heads is adequate prior to finalising it and sharing it with all the Regions.

In 2008-2009, the SRMIAD will hold meetings on a regular basis, with the various stakeholders responsible for Facilities Management at Headquarters, in order to strengthen the communication and the understanding of the roles and responsibilities of the many external and internal stakeholders. A first meeting was already held during the Real Property and Service Integration Directorate's national conference in May 2008.

3.2 Organizational Structure

The organizational structure must provide an adequate accountability framework at the various levels of management, both in the regions and at SRMIAD, to allow efficient management and the achievement of the objectives of the security program.

In 2005, the SRMIAD began restructuring in order to implement a common functional organizational structure in the regions, changing from a horizontal model grouped under Accommodation, Telephony and Security to a regionalized security organization. These changes sought to create a forward looking security organization focused on a strategic approach.

Following the merger of the Northern and Southern Ontario regions, the internal auditors observed that the implementation of the approved organizational structure was not finalised as of fall 2007. Also, several positions had not been permanently staffed, including the security manager positions at six of the seven sites visited.

There was a discrepancy in the responsibilities assigned to regional security officials. For example, one Assistant Director of Security in one region was responsible for a considerably larger number of offices and employees than another region. The Security Manager in another region was responsible for security at 30 facilities occupied by the CRA and provided remote services, with limited staff, while the other offices audited had security staff on site.

Recommendation

The SRMIAD should complete the transition to the new structure and ensure that it allows them perform their duties in an optimal manner.

Action Plan

The SRMIAD will complete a follow-up by June 30, 2008 in order to confirm with the Ontario Region that the transition has been finalized.

By the end of the 2008-2009 fiscal year, a r eview of the existing Headquarters Security organizational structure will be completed and recommendations will be presented to management.  

Each Region has prepared a human resources plan to fill the vacant positions of their organisation. In this regard, the SRMIAD will support the regions accordingly. These plans will be implemented in each of the Regions over the course of the 2008-2009 fiscal year.

3.3 Objectives and Work Plans

Short and long‑term objectives and work plans must be developed and regional and local annual operating plans must be prepared to meet the requirements of the physical security program. These are set forth in Appendices A and B of Chapter 1, of the FAM Security Volume.

Specific objectives regarding compliance and monitoring of the physical safeguards at facilities were included in the FAB's Functional Business Plans. These objectives resulted in national initiatives and projects for the SRMIAD. Initiatives included the NFSR, the objective of which was to review physical safeguards at facilities and CMIs conducted at a frequency of four per quarter.

As part of the NFSR initiative, local offices completed an annual physical security self‑evaluation questionnaire which they submitted to the SRMIAD. An analysis was conducted by SRMIAD and elements to be corrected were presented to the regions in the form of a report and action plan.

Although the initiative is considered a good practice, problems were noted in the implementation of corrective measures and in their follow‑up. At the audited sites, the physical security elements sampled from the NFSR action plans were not implemented at a satisfactory rate. It should be noted that the funds available for this initiative were not fully utilized.

The Security compliance and monitoring inspections (CMIs) were conducted by SRMIAD advisors in cooperation with regional and local Security personnel. Different offices were selected and inspected each year as part of this detailed review. A report of the results and corresponding recommendations was submitted to the appropriate regions. At the audited sites, the physical security elements sampled from the CMI recommendations were not implemented at a satisfactory rate.

All stakeholders were under the impression that all actions and recommendations had been implemented. However, only one of the audited sites stood out for having implemented almost all of the corrective measures related to the NFSR and CMI initiatives.

Although regional and local security staff adhered to national priorities and initiatives, they did not have business plans or objectives covering all the physical security activities covered in the FAM.

Several stakeholders confirmed that the day‑to‑day security work was carried out in a more reactive manner. However, some offices had recently reintroduced security inspections and sweeps of their premises. Also, some inspection duties have also been assigned to on-site security guards, where they were utilized.

Recommendation

The SRMIAD should ensure that the regional and local security teams have objectives and business plans that allow for the regular integration of all activities of the physical security program including increased awareness among CRA employees, as described in the Security Volume of the CRA's Finance and Administration Manual.

Action Plan

For the 2008-2009 fiscal year, the SRMIAD has already initiated discussions with the Regions aiming to establishing a work plan for the entire Security Program that takes into account the day-to-day activities of the Physical Security Program as well as the target audience. The work plan has already been discussed with the Regional Directors and Assistant Directors. It will take into account the local and regional needs and objectives in order to ensure their integration within the entire Physical Security Program. The work plan will be prepared and implemented over the course of the second quarter of the 2008-2009 fiscal year.

3.4 Management Follow‑Up and Controls

As indicated in Chapter 1, Agency Security Program Framework, and its Appendices A and B of the FAM Security Volume, controls and management follow-up of physical security must be implemented by the various local, regional and national security stakeholders.

There was minimal time dedicated to controls and management follow‑up of the elements of the physical security program at any of the audited sites. Many of the deficiencies noted in the audit would have been detected by management follow‑ups and systematic monitoring.

Recommendation

The SRMIAD should ensure that controls management follow‑ups and monitoring mechanisms function properly at all levels, in order to support the achievement of objectives and adherence to work plans, including initiatives such as the NFSR and CMIs.

Action Plan

During the national conference held in May 2008, the SRMIAD informed the Regions that all self-assessment questionnaires (representing 130 facilities) included in the autumn 2007 review will be returned to Assistant Directors of Security for examination in order to ensure the precision of the information provided to Headquarters.

At this same conference , all Security stakeholders were informed of the necessity to carryout follow-ups at all levels and covering the entire Physical Security Program including national initiatives.

Conclusion

The CRA has physical security policies, guidelines, procedures and technical guides. If the standards contained in these were respected and applied consistently, they would contribute to improve the level of protection at CRA facilities. However, the control, detection, monitoring and surveillance measures set forth were not always appropriately applied at facilities.

Concerning the two NSFR and CMI initiatives, problems were noted in the implementation and follow-up of corrective measures. Apart from its national priorities and initiatives, the Security Directorate did not demonstrate that it had any work plans or objectives covering all physical security activities. Overall, minimal time was spent on controls and on management follow‑up of elements of the National Physical Security Program.

In general, security staff in the regions had received basic security training. However, periodic refresher courses or professional development to increase knowledge of standards and technical tools was not offered. In addition, when experienced security staff left, knowledge was not always transferred thus affecting certain aspects of the program. The security stakeholders required to play a role in the threat and risk assessment (TRA) process were not all familiar with TRA procedures and did not have the necessary tools to complete them. Despite the existence of an appropriate process for reporting incidents, the definition of a security incident was neither clearly nor consistently understood by many CRA stakeholders.

A program was implemented to raise employee awareness of certain elements of the Security Program, however the SRMIAD did not have the necessary information to assess the effectiveness of these efforts. Deficiencies were noted due to a lack of employee compliance with basic security control mechanisms.

The roles and responsibilities of several Physical Security Program stakeholders were not uniformly defined, known or assumed. Discussions with Directors or Heads of Facilities revealed some ambiguity regarding their understanding of their roles, responsibilities and their accountability pertaining to security. Following the merger of the Northern and Southern Ontario regions, the internal auditors observed that the implementation of the approved organizational structure was not finalised as of fall 2007.