Horizontal Internal Audit of Physical Security in Large and Small Departments

Why this is important

Recent security events^{Footnote 2} around the world underscore the importance of having effective physical security in place to help adequately protect individuals, information and assets. [Redacted], protesters gaining access to National Energy Board^{Footnote 3} hearings and various Indigenous and Northern Affairs Canada^{Footnote 4} offices in 2016, and the Parliament Hill shooting in 2014^{Footnote 5} show that Canada is not immune to security threats.^{Footnote 6}

The Government of Canada employs approximately 220,000 individuals within the core public administration,^{Footnote 7} manages more than $86 billion in non-financial assets,^{Footnote 8} and owns or leases over 38,000 buildings.^{Footnote 9} While different government departments may face different threats depending on their operations, locations and assets, all federal departments could potentially face significant injuries in terms of the loss of confidentiality and integrity, and the unavailability of employees, information and assets if physical security were to be compromised.^{Footnote 10} The repercussions could be further compounded by the increasing interdependencies between departments, such as reliance on internal enterprise services or co-location.

In this context, comprehensive and strongly integrated governance frameworks, and departmental processes supporting physical security are key to helping adequately protect government employees, information and assets from compromise.

Key findings

Physical security in the Government of Canada

Physical security, as one of eight security controls^{Footnote 13} within the broader area of government security, aims to provide reasonable assurance that individuals, information and assets are adequately protected, thereby supporting the delivery of government programs, services and activities. This is achieved by defining, documenting, implementing, assessing, monitoring and maintaining physical security requirements, practices and controls throughout all stages of the real property and materiel management life cycles.

More specifically, physical security refers to the use of security controls^{Footnote 14} (entrance gates at government offices, security guards, locked filing cabinets, cameras, alarms, and so on) to prevent or delay unauthorized access to employees, information and assets, and to detect and report attempted or actual unauthorized access.

Physical security relies on and complements other aspects of a departmental security function. Ultimately, to be effective in protecting individuals, information and assets, physical security controls need to be tailored to departments and integrated with the other security controls outlined in the Treasury Board Policy on Government Security. For instance, the effectiveness of entrance gates controlling access to government facilities depends on the integrity of the process for issuing access cards only to individuals with appropriate security clearance (security screening). In turn, the effectiveness of other security controls, such as information technology security, relies on the adequacy of physical security safeguards (such as effectively restricting access to server rooms). Similarly, the success of a departmental and/or government-wide response to certain security incidents or events (security event management) relies on the effectiveness of physical security safeguards (cameras, alarms, security guards, and so on) to detect such incidents or events and report them in a timely manner to the appropriate authorities.

Although responsibility for departmental physical security rests ultimately with deputy heads, it should be noted that responsibility for the security of government as a whole is shared among several stakeholders (central agency, lead security agencies, internal enterprise service organizations^{Footnote 15} and departments).

Lead security agencies have a leadership and support role in relation to government security and contribute to the achievement of government security policy objectives. While their specific responsibilities vary, lead security agencies also share responsibilities for providing advice, guidance and services to support departmental security operations.

The main lead security agencies responsible for supporting physical security^{Footnote 16} are:

• the Treasury Board and its Secretariat for their policy roles as a central agency
• the Royal Canadian Mounted Police (RCMP) as the lead security agency for physical security
• Public Services and Procurement Canada (PSPC) for its role in providing base building security^{Footnote 17} as an internal enterprise service organization
• the Privy Council Office (PCO) for its national security role

Policy framework for physical security

The Treasury Board security policy framework, which sets out requirements for physical security, aims to ensure that deputy heads effectively manage security activities within departments, while also contributing to the effective management of government-wide security. During the audit, the Treasury Board of Canada Secretariat (the Secretariat) renewed this framework and streamlined the policy instruments to provide greater flexibility to departments.^{Footnote 18} Upon review, it was determined that the renewed policy framework does not negate the requirements of the previous policy framework, on which this audit was based.^{Footnote 19}

The renewed Treasury Board security policy framework took effect on July 1, 2019, and includes the following instruments relevant to physical security:

• the Treasury Board’s Policy on Government Security
• the Secretariat’s Directive on Security Management (includes “Mandatory Procedures for Physical Security Control”)

Per the renewed Policy on Government Security, responsibility for providing leadership, advice and guidance on matters relating to physical security remains with the RCMP. In alignment with this responsibility, the RCMP issued physical security technical guidance between 1998 and 2014 to supplement the Treasury Board security policy framework and support departmental security operations.^{Footnote 20} The RCMP is in the process of updating some of its guidance to align with the recently renewed Treasury Board security policy framework.

Finding 1: Governance at the government-wide level

Effective security governance, both within departments and across government, is one of the expected results of the Treasury Board Policy on Government Security. Under this policy, the Secretariat is responsible for establishing government-wide security policy governance. This involves setting strategic direction and priorities, and coordinating security priorities, plans and activities government-wide. Lead security agencies share responsibility for participating in government-wide security policy governance (including providing policy implementation advice to departments). Lastly, internal enterprise service organizations are responsible for establishing governance to oversee security considerations for the internal enterprise services they provide.

Given the complexity of federal government operations, the various stakeholders involved, the shared accountabilities and the variety of threats and risks faced by departments, having clearly defined and integrated government-wide governance is key to effectively coordinating physical security activities.

The audit examined whether the Secretariat, and the selected lead security agencies and internal enterprise service organizations, carried out their physical security governance responsibilities under the Financial Administration Act and the Policy on Government Security. At the government-wide level, the audit focused on the following aspects of governance: policy instruments, initiatives supporting departments, committee structures, strategic planning, and monitoring and reporting frameworks.

Policy instruments were issued by both the Secretariat and the RCMP to provide government-wide direction on physical security. After several years, the Secretariat’s instruments were recently renewed and work is now in progress to update the RCMP’s technical guidance.

Pursuant to its mandated responsibilities, the Secretariat published policy instruments on its website to support a whole-of-government approach to physical security. During the audit, the main instruments developed by the Secretariat to provide government-wide direction on the roles, responsibilities and requirements for physical security included the Policy on Government Security, the Directive on Security Management (in effect as of July 2019), including the “Mandatory Procedures for Physical Security Control”, the Directive on Departmental Security Management (now archived) and the Operational Security Standard on Physical Security (now archived).

At the time of the audit fieldwork, the Treasury Board security policy framework had not been updated in several years. The main reasons raised by the Secretariat’s representatives to explain this included the need for a detailed analysis to increase the clarity of requirements, the need to re-align with emerging new priorities (including the new Policy on Service and Digital) and a change in senior management at the Secretariat. The Secretariat was, however, in the process of renewing this framework and completed this major undertaking during the reporting phase of the audit in 2019. As part of the process, the Secretariat sought input from various stakeholders across the government’s security community, including from small departments, interdepartmental governance committees, other lead security agencies and internal enterprise service organizations. Consultation drafts of the policy instruments were also made widely accessible on the federal government’s intranet (GCpedia) throughout the process in an effort to engage with departments and help them prepare for the transition.

During the transition to the new Treasury Board security policy framework, there is as an inherent risk that its new and streamlined requirements may not be appropriately implemented by departments. Representatives interviewed at the Secretariat are aware of this and mentioned that work is underway to issue change management guidance in support of the physical security requirements currently in effect.

In alignment with its responsibilities under the Policy on Government Security, the RCMP, as the lead security agency for physical security, also published several physical security-related technical guidelines on its website. However, similar to the Secretariat’s policy instruments, these had not been updated in recent years, with one in particular having been issued two decades ago. Several departments included in the audit raised this as an issue, and RCMP representatives interviewed explained that the department’s limited capacity to perform its lead security agency role was the main challenge in this regard. Work is currently underway to update the Security Equipment Guide, which the RCMP deems as the most needed physical security technical guidance by the security community. Additionally, representatives from the RCMP indicated that a strategic plan is being developed for a planned review and update of all of its physical security technical guidance.

Having up-to-date government-wide physical security policy instruments and technical guidance that are broadly communicated, harmonized and regularly maintained to address the needs of stakeholders would reduce the risk that roles, responsibilities, expectations and requirements are not clearly understood and implemented. This would in turn increase the federal government’s readiness and resilience to disruptions.

To complement government-wide security policy instruments, lead security agencies also provided support to departments in the area of physical security. Support relating to base building security^{Footnote 24} could be improved in terms of maintenance of TRAs,^{Footnote 25} and consultation in identifying risks, needs and priorities.

In addition to providing formal technical advice and guidance, lead security agencies also share responsibility for providing services to support the day-to-day security operations of departments (see Appendix E).

To fulfill this responsibility, lead security agencies undertook various general security initiatives related to physical security. For example, the Secretariat, PSPC and the RCMP all provided day-to-day support to departmental security operations (including physical security) by answering enquiries through generic email accounts established for this purpose. On an ad hoc basis, the Secretariat also reviewed and provided feedback on departmental security plans (DSPs) (which include physical security measures) upon request by departments. Through its Security Centre of Excellence,^{Footnote 26} PCO conducted briefings with newly-appointed security professionals to inform them of its various initiatives that support security government-wide. Additionally, the Secretariat indicated that its Security Policy Division meets with newly appointed chief security officers to apprise them of their policy responsibilities. To support the security functional community, annual security summits (covering physical security-related topics in some years) were held and co-hosted by the Secretariat, PCO and Public Safety Canada. These events aimed at raising awareness of new security initiatives, sharing knowledge and providing security practitioners across government with an opportunity to network.

Regarding base building security, PSPC has provided several internal enterprise services to support departments in this area; however, opportunities for improvements were identified. In alignment with its mandated responsibilities, PSPC managed the procurement of security guard services, established a generic email address to interact with members of the security community who have questions or need to alert PSPC of incidents in buildings, and completed base building TRAs. However, the audit noted that although PSPC has implemented mechanisms to track the completion of base building TRAs, there were instances where the TRAs were not updated at the department’s expected frequency (every five years). [Redacted] Representatives from PSPC indicated that some base building TRAs require updates more frequently than others and that a new risk-based model is currently being implemented to improve the planning of updates. Furthermore, representatives interviewed in some of the departments included in the audit mentioned having experienced challenges in obtaining copies of base building TRAs for their facilities. Departments need the information from PSPC’s base building TRAs to inform the development of their own TRAs. PSPC representatives indicated that a presentation has since been provided to inform the security community that copies of TRAs could be obtained by contacting PSPC’s Base Building Security Operations group through its generic email for community outreach and TRA enquiries. At the time of the audit, PSPC did not demonstrate having put in place an ongoing process to ensure that departments are consistently made aware of its various services and of the mechanisms available to collaborate on base building security matters (such as how to obtain a copy of a base building TRA). PSPC also did not demonstrate having consulted with other government departments and lead security agencies in identifying risks and priorities related to base building security.

In a context where requirements have now been significantly streamlined, departments will likely increasingly rely on the services, advice and guidance provided by lead security agencies to help them navigate the new flexibilities provided within the higher-level requirements of the renewed Treasury Board security policy framework.

Interdepartmental security governance committees were in place and actively supported physical security. Committee operations could be further enhanced.

In a complex organization such as the federal government, where multiple stakeholders share various responsibilities to ensure adequate physical security, interdepartmental governance is key to effectively coordinating efforts. The Secretariat and the RCMP share the main responsibilities for establishing government-wide governance in this area (see Appendix E).

Both the Secretariat and the RCMP have established interdepartmental governance committees supporting a whole-of-government approach to physical security. The Secretariat, on the one hand, established policy governance committees with broad mandates to provide direction supporting the Policy on Government Security. Its committee at the assistant deputy minister level is co-chaired by PCO.^{Footnote 27} The RCMP, on the other hand, established an Advisory Committee on Physical Security (ACOPS), a working-level committee dedicated exclusively to providing government-wide support for physical security. All of these committees demonstrated their support to a whole-of-government approach for physical security through periodic discussions. For example, ACOPS presented several updates on its activities to the Secretariat’s and PCO’s policy governance committees.

Opportunities for improvements were identified in the way the previously mentioned committees operate. Some of these committees did not demonstrate that they consistently tracked and followed up on their decisions. Regarding ACOPS, no documentation was found supporting the approval of its terms of reference, nor demonstrating that roles and responsibilities were defined for and communicated to its various working groups. Additionally, there was limited representation of small departments in the membership of all of these committees for a number of reasons. The Secretariat was aware of this and indicated that work was underway to address this issue in collaboration with representatives of small departments. Finally, some representatives of lead security agencies interviewed indicated that increased coordination among the interdepartmental security governance committees (for example, through regular status updates on physical security activities) would be beneficial.

Having formally approved and documented terms of reference in place for all governance committees that clearly define their respective mandates, roles, responsibilities and accountabilities could help the various stakeholders involved collaborate more effectively and efficiently. Also, consistently tracking and following up on committee decisions help ensure that they will be implemented as intended. Finally, stronger coordination between the governance committees could result in synergies, which may in turn further enhance physical security across government.

Foundational mechanisms were established to strategically plan government-wide initiatives supporting physical security; however, strategic plans were not finalized.

The Secretariat is responsible for establishing government-wide security policy governance to set strategic direction and priorities. This includes ensuring the coordination of government security priorities, plans and activities. All the lead security agencies are expected to participate in this process. In particular, the RCMP was designated as the lead security agency specifically responsible for providing leadership on matters related to physical security.

In alignment with its responsibilities, the Secretariat established the Government of Canada Enterprise Security Control Committee (GC ESCC) at the director general level to act as an advisory body on key strategies for strengthening the effectiveness of government security policy, services and related operations (including physical security). All the lead security agencies and internal enterprise service organizations identified by the Policy on Government Security are members of this committee. The terms of reference specify that members are responsible for developing and monitoring priorities on an annual basis to fulfill the various lead security agency and internal enterprise service organization responsibilities under the Policy on Government Security. The chair’s responsibilities include reporting on progress in implementing priorities to an interdepartmental Assistant Deputy Minister Security Committee (ADM SC) established by the Secretariat and to other senior management committees, as appropriate. ADM SC, which includes all lead security agencies and internal enterprise service organizations in its membership, is the decision-making body on government-wide security policy initiatives. Its mandate is to provide strategic direction and leadership to the development, implementation and ongoing evaluation of the Policy on Government Security. This entails supporting an integrated risk-based approach between lead security agencies, internal enterprise service providers, central agencies and departments in support of the Government of Canada security policy objectives and related ongoing operations (including physical security).

During the audit fieldwork and reporting phase, GC ESCC demonstrated that work was underway to develop a formal Lead Security Agency and Internal Enterprise Security Services annual joint work plan to identify and track progress on strategic priorities. A partially completed plan was provided that listed some physical security priorities including status, milestone target dates and deliverables. Priorities were identified for all lead security agencies and internal enterprise security organizations included in the audit.

The audit also noted that the GC ESCC has briefed the ADM SC once (in June 2019) to provide an overview of the objectives of the GC ESCC and of some gaps, potential risks, opportunities and issues that may impact Government of Canada security. At this meeting, the chair of GC ESCC presented mock-ups of executive dashboards to be used going forward in identifying and monitoring progress on strategic priorities (including physical security). GC ESCC also committed at this meeting to engaging ADM SC and other deputy head-level committees regularly.

Formal and coordinated strategic planning at the government-wide level would help strengthen the integration of physical security management between all stakeholders involved.

While the Secretariat has monitored and reported on compliance, its current monitoring approach does not provide a broad government-wide view of compliance with physical security policy instruments and does not assess their effectiveness. Work is underway to address these gaps.

The Secretariat is responsible for ensuring government security policy oversight and for overseeing a whole-of-government approach to security management. This includes conducting periodic reviews of the effectiveness of security support services to provide assurance that they continue to meet the needs of the government as a whole.

With respect to monitoring and reporting on compliance with government-wide physical security requirements, the Secretariat has conducted annual Management Accountability Framework (MAF) assessments of departments. However, the Secretariat has recognized that MAF assessments were limited to the assessment of some large departments and agencies and, as a result, the findings generated by the assessment did not provide a broad government-wide view of compliance.

Moreover, the Secretariat did not demonstrate that it has monitored and reported on the effectiveness of its security policy framework covering physical security. Furthermore, the Secretariat did not demonstrate having monitored whether lead security agencies effectively fulfilled their physical security-related responsibilities under the Policy on Government Security.

During the reporting phase of the audit, however, the Secretariat did demonstrate that work was underway to develop a Government of Canada Security Performance Measurement Framework (GCSPMF) to address the previously mentioned oversight gaps. [Redacted] Finally, the audit noted that the Secretariat plans on developing the GCSPMF in a phased approach, which will include consultations with the government security community and a pilot in selected departments prior to its full implementation.

Comprehensive government-wide monitoring and reporting frameworks to periodically oversee the effectiveness of and compliance with the policy instruments supporting physical security would help increase the likelihood that the objectives, expected results and outcomes of the renewed Policy on Government Security will be achieved.

Finding 2: Governance at the departmental level

The Treasury Board Policy on Government Security states that deputy heads are responsible for establishing security governance within their departments. The audit examined whether departments carried out their governance-related responsibilities according to the government security policy framework in effect as of June 30, 2017 (see Appendix A). Upon review, it was determined that the renewed Treasury Board security policy framework issued in July 2019 does not negate the requirements of the previous policy framework on which the findings in this section are based.^{Footnote 28}

The audit focused on the following aspects of departmental governance for physical security:

• governance committees
• communication of roles and responsibilities
• departmental security planning
• monitoring and reporting

Given the previously mentioned delay in reporting for this audit, some of the participating departments may have since addressed the findings and recommendations presented in this section. Any progress made in this regard is to be reflected and tracked in departmental management action plans. Recommendations in this section were framed in the context of the renewed Treasury Board security policy framework to ensure their continued relevance.

Although the vast majority of departments established governance committees to oversee physical security activities, half did not demonstrate that these committees were actively involved in this area.

Under the Directive on Departmental Security Management, departments were required to establish security governance mechanisms (such as committees and working groups) to ensure the coordination and integration of security activities and to facilitate decision-making.

The audit found that nearly all departments had put in place formal governance committees with broad mandates, which included oversight and support for physical security activities. As a good practice, it was noted that half of the large departments and the majority of small departments had established committees or working groups with mandates specifically dedicated to departmental security.

However, half of the departments did not demonstrate that these governance committees actively supported physical security activities by both regularly discussing topics related to physical security at their meetings, and tracking and following up on initiatives in this area. This was particularly the case in departments without committees dedicated to security.

Active involvement from governance committees would help raise the profile of physical security within departments and further enhance the integration of related activities with the other security controls.

While physical security roles and responsibilities were defined in all departments, their documentation, approval and communication could be improved.

The Policy on Government Security required deputy heads to appoint a departmental security officer (DSO)^{Footnote 29} to manage the departmental security program. The DSO was required to report functionally either to the deputy head or to the departmental executive committee. Additionally, departments were expected to appoint security practitioners to support the departmental security program. These practitioners were required to maintain a functional or direct reporting relationship with the DSO. Finally, according to the Directive on Departmental Security Management, the accountabilities, delegations, reporting relationships, roles and responsibilities of departmental employees with security responsibilities were to be defined, documented and communicated to the relevant people.

The audit found that all departments appointed a DSO and security practitioners responsible for physical security. Roles and responsibilities for most key security stakeholders were defined in all departments, often through an approved departmental security policy. In the vast majority of cases, DSOs and security practitioners were also held accountable for their physical security responsibilities through their performance management agreements. As a good practice, the audit noted that the Canadian Food Inspection Agency required its managers and employees to formally acknowledge their understanding and commitment to comply with the Policy on Government Security and Directive on Departmental Security Management. However, while security practitioners in almost all departments had a direct or functional reporting relationship to their DSO, it was noted that in half of the large and small departments, the reporting relationship between the DSO and the deputy head or executive committee was not aligned with expectations.

Opportunities for improvements were also identified in most departments regarding the documentation, approval and communication of roles and responsibilities. For example, specific and up-to-date roles and responsibilities for physical security were not defined for governance committees in most large departments and half of the small departments. Additionally, defined roles and responsibilities were not consistently approved in half of the large departments and small departments. In all of the departments that assigned physical security roles and responsibilities to employees working in regional offices, the audit found that communication surrounding these roles and responsibilities could be improved. For example, several regional security practitioners expressed a desire for increased support from their headquarters (such as through additional training opportunities). Finally, most of the large and small departments had not reviewed all physical security-related roles and responsibilities. Two small departments indicated that they were waiting for the Secretariat to finalize its policy suite renewal before updating their own departmental security policies.

Ensuring that up-to-date physical security roles and responsibilities are formally communicated to all relevant stakeholders would help foster a better understanding of expectations and coordination of efforts, and help ensure that assigned responsibilities are carried out. Furthermore, aligning the reporting relationship of senior departmental security officials with the Policy on Government Security would help raise the profile of security within departments and help ensure proper coordination during security incidents.

Most departments had an overarching DSP covering physical security; however, the content of DSPs was generally not consistently aligned with the DSP process suggested by the Secretariat’s guidelines and, in most cases, DSPs were not regularly reviewed and updated.

According to the Directive on Departmental Security Management, departments were required to develop and maintain a DSP providing an integrated view of departmental security requirements (including physical security). The purpose of DSPs was to detail the decisions for managing security risks and to outline strategies, goals, objectives, priorities and timelines for improving departmental security. To assist departments in meeting expectations, the Secretariat issued guidelines on how to develop DSPs.

The audit found that all departments had an approved DSP in place. The majority of the large departments’ and half of the small departments’ DSPs covered goals, objectives, priorities and timelines. Most departments also demonstrated that a process was established and followed to identify and analyze risks, including those relating to physical security. Additionally, most departments consulted relevant departmental stakeholders during the development of their DSPs.

In general, the content of DSPs examined was not consistently aligned with the Secretariat’s Guideline on Developing a Departmental Security Plan. Opportunities for improvements in this regard mostly revolved around the need to include further details in terms of performance indicators, implementation strategies, and risk evaluations to determine whether the risks identified were acceptable or not. Furthermore, half of the large departments and the majority of small departments did not demonstrate having maintained their DSPs by conducting periodic reviews and updates. In half of the small departments, the main challenge raised pertained to a lack of resources for completing such reviews and updates.

Regularly maintaining and fully aligning DSPs with the Secretariat’s policy instruments would help departments better address emerging security risks and clarify priorities. It would also provide a stronger baseline within departments to monitor the effectiveness of their plans over time, and to identify when and where corrective actions may be needed. Strong and up-to-date DSPs could also help departments cope more effectively with capacity issues by prioritizing their limited resources to mitigate the highest security risks.

Physical security monitoring and reporting frameworks were either non-existent or limited.

DSOs were required to actively monitor the implementation of all security activities within their department and recommend appropriate remedial action to the deputy head or senior management committee (as appropriate) to address any deficiencies. This expectation included evaluating the achievement of objectives outlined in the DSP and the effectiveness of security controls, and reporting the results to the appropriate governance committees.

While most departments had completed some monitoring activities, these tended to be ad hoc, incomplete and informal. [Redacted]

Establishing formal processes to regularly monitor and report on compliance and the effectiveness of departmental physical security activities would help to proactively identify gaps and make any necessary adjustments. [Redacted]

Finding 3: Departmental physical security processes

Under the Directive on Departmental Security Management, security practitioners within departments were expected to select, implement and maintain physical security controls. The Secretariat’s Operational Security Standard on Physical Security provided baseline physical security requirements to counter threats to government employees, assets and service delivery. Baseline requirements were designed to provide a consistent minimum level of physical security controls across government in order to help mitigate common types of threats that departments would encounter. Certain departments could face different threats because of the nature of their operations, their location and/or the attractiveness of their assets. The standard therefore prescribed a physical security approach to help departments supplement baseline physical security controls where appropriate, based on the particular threats and risks they face. The RCMP also issued various technical guidance to support departments in tailoring physical security controls to meet their needs.

The audit focused on expectations outlined in the Secretariat’s policy instruments and the RCMP’s technical guidance in effect as of June 30, 2017 (see Appendix A), and assessed whether departments had processes in place to assess threats and risks, identify and implement physical security controls, report and investigate security incidents, and implement corrective actions following incidents and/or investigations.

Upon review, it was determined that the renewed Treasury Board security policy framework issued in July 2019 does not negate the requirements of the previous policy framework on which the findings in this section are based.^{Footnote 30} Recommendations in this section were framed in the context of the renewed policy framework to ensure their continued relevance.

Given the previously mentioned delay in reporting for this audit, some of the participating departments may have since addressed the findings and recommendations presented in this section. Any progress made in this regard is to be reflected and tracked in departmental management action plans.

While all departments completed some form of TRAs, their coverage and the level of rigor to develop and maintain these could be improved.

The Directive on Departmental Security Management required departments to document, implement and maintain processes for the systematic management of security risks to ensure continual adaptation to their changing needs and threat environment. Under the Secretariat’s Security Organization and Administration Standard, departments were expected to complete TRAs for sensitive information and assets as part of the risk management approach to security. The TRA process was concerned with defining what required protection, analyzing and assessing threats and risks, and making recommendations for the management of risks. Specific technical guidance on how to complete TRAs was provided in the Secretariat’s Security Organization and Administration Standard and in the Harmonized TRA Methodology (issued by the RCMP and the Communications Security Establishment Canada). According to the Secretariat’s Operational Security Standard on Physical Security, departments were expected to base their selection and implementation of physical security controls on the results of TRAs.

The audit assessed whether departments had conducted and maintained up-to-date TRAs for their facilities in alignment with the Security Organization and Administration Standard and the Harmonized TRA Methodology.

All departments completed some form of TRAs or equivalent security assessments and, in most cases, had provided employees with relevant training and guidance on TRAs prior to completing the assessments. In addition, all large departments and half of the small departments had consulted relevant internal stakeholders while developing these assessments.

[Redacted]^{Footnote 31} Most departments also indicated that they had not consulted external stakeholders such as lead security agencies as part of their TRA process to seek additional advice and guidance. [Redacted]

[Redacted] Strong TRA processes, coupled with the implementation of TRA recommendations, help reduce the risk that some areas within departments may be under-protected by physical security controls.

Most departments had processes in place to implement physical security controls based on TRAs. [Redacted]

Following TRAs, the next steps in managing security risks relate to the approval and implementation of safeguards. The Secretariat’s Operational Security Standard on Physical Security required departments to ensure that access to and safeguards for protected and classified assets were based on a clearly discernable hierarchy of zones.^{Footnote 32} The standard also required departments to control access to restricted-access areas using safeguards that would grant access only to authorized employees.

The audit assessed whether departments had processes in place to approve and implement facility access controls and hierarchy of zones to protect information, assets and employees in alignment with TRAs and the previously mentioned standard. The audit also examined departmental processes in place to implement and approve devices, systems and procedures to detect attempted or actual physical security incidents. As part of these processes, the audit expected that all relevant stakeholders within departments and lead security agencies would have been consulted.

Although not always formalized, the majority of departments had processes in place to implement the physical security controls assessed. [Redacted] Additionally, opportunities for improvements were identified in most of the small departments with respect to ensuring that all relevant internal and external stakeholders are consulted as part of the process to implement physical security controls.

Adopting formal processes [Redacted] would help departments strengthen their ability to adequately protect their employees, information and assets from compromise.

In general, processes for reporting security incidents were defined and communicated; however, in most small departments, they were not followed consistently. In the majority of departments, the audit also found no evidence demonstrating that incidents had been both investigated and the results of such investigations reported to senior management.

Within the context of physical security, the response process involved reporting security incidents to the appropriate security officials and taking immediate and long-term corrective action. Under the Policy on Government Security, deputy heads were responsible for the completion of investigations and assessments of the effectiveness of the departmental security program.

The audit found that the majority of departments had fully defined and communicated security incident reporting processes. However, in most of the small departments and in one large department, these processes were not followed consistently for the incidents sampled as part of the audit.

Half of the departments also had not fully defined a process to investigate security incidents and report the results of such investigations to the relevant stakeholders. Furthermore, the majority of departments did not demonstrate that the incidents sampled as part of the audit were both investigated and the results of such investigations reported consistently to senior management. Some departments indicated that they did not think it was necessary to report the results of investigations into security incidents to senior management. While departments that identified required corrective actions during investigations did implement these in most cases, the majority of departments have not established a formal process to track and follow up on investigation recommendations.

Consistently implementing security incident reporting and investigation processes would strengthen the physical security response and help identify areas where improvements are needed to physical security controls. Regularly tracking and following up on investigation recommendations would further encourage the timely adoption of corrective actions within departments.