Internal (Audit and Evaluation Branch) Final Audit Report—Audit of Physical Security

November 2009

Recommended for Approval to the Deputy Minister by Departmental Audit Committee on
July 8, 2009
Approved by the Deputy Minister on July 22, 2009

Table of Contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Main Findings
  • 1.3 Recommendations
  • 1.4 Statement of Assurance
  • 1.5 Audit Opinion
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Objective
  • 2.3 Scope
  • 2.4 Methodology
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Governance
    • Finding 1.0: Roles and Responsibilities of Regional Security Representatives (RSRs) are not clearly defined
    • Recommendation 1.0:
    • Finding 2.0: Lack of communication between regional offices exists
    • Recommendation 2.0:
  • 3.3 Internal Control
    • Finding 3.0: Resource and competency needs are not defined
    • Recommendation 3.0:
    • Finding 4.0: No formal regional security training plans exist
    • Recommendation 4.0:
  • 3.4 Risk Management
    • Finding 5.0: Threat and Risk Assessment (TRA) recommendations are not followed up
    • Recommendation 5.0:
• 4.0 Appendix A – Detailed Audit Criteria
• 5.0 Appendix B – Management Action Plan

1.0 Executive Summary

1.1 Introduction

The objective of Industry Canada's Departmental Security Policy (DSP) is to provide a framework for Industry Canada's Physical Security Services Program as it carries out its mission to safeguard employees, information and assets, and assure the continued delivery of services. The Industry Canada DSP supports the Government Security Policy (GSP).

In order to meet the GSP and DSP requirements, the Security Services Directorate offers a wide-range of security services that strive to ensure the safety and security of all Industry Canada employees and assets, as well as ensuring the continuous delivery of critical departmental functions and services.

The objective of this audit was to provide assurance that Industry Canada complies with relevant physical security legislation, policies, directives and procedures.

The scope of the audit covered current non-IT security aspects of the departmental security program. Business Continuity Planning and Information Management have been defined as out of scope for this audit and will be addressed in future audits.

For the purposes of this audit, physical security is defined as all elements of the Government Security Policy that support the Government of Canada's business objectives by safeguarding employees and assets.

1.2 Main Findings

The security training and awareness program developed by the Security Services Directorate is well received by all IC employees.

Governance:

1. Roles and Responsibilities of Regional Security Representatives (RSRs) are not clearly defined.
2. Lack of communication between regional offices exists.

Controls:

3. Resource and competency needs are not defined.
4. No formal regional security training plans exist.

Risk Management

5. Threat and Risk Assessment (TRA) recommendations are not followed up.

1.3 Recommendations

Governance:

1. The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that work descriptions of Regional Security Representatives are reviewed to include specific security responsibilities.
2. The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that regular meetings, (either in person or through conference call) involving all Regional Security Representatives, be conducted to identify issues and share information.

Controls:

3. The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that planning of security resources include an analysis of requirements and competencies and are reflected in the Comptrollership and Administration Sector (CAS) Strategic Human Resources Plan.
4. The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that a more comprehensive training plan be developed for Regional Security Representatives.

Risk Management

5. The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that a management response be required after each TRA to monitor implementation of TRA recommendations.

1.4 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. This opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.5 Audit Opinion

In my opinion, Security Services Directorate has noteworthy weaknesses, with low risk exposures related to risk management, control, and governance processes relative to departmental physical security that require management attention.

Bill Merklinger
Chief Audit Executive, Industry Canada

Date

2.0 About the Audit

2.1 Background

The objective of the Industry Canada Departmental Security Policy (DSP) is to provide a framework for Industry Canada's Physical Security Services Program as it carries out its mission to safeguard employees, information and assets, and assure the continued delivery of services. The Industry Canada Departmental Security Policy supports the Government Security Policy (GSP), which prescribes that training and awareness activities are required to ensure that personnel of the Government of Canada have basic knowledge of security practices in their daily activities.

In order to assist in meeting the GSP and DSP requirements, the Security Services Directorate (SSD) offers a wide-range of security services that strive to ensure the safety and security of all Industry Canada employees and assets, as well as ensuring the continuous delivery of critical departmental functions and services.

This is achieved through the provision of:

• Security training and awareness;
• Categorization of departmental information and assets;
• Appropriate screening of departmental personnel;
• Investigative response and techniques;
• Threat and risk assessments;
• Implementing security measures for accessing Industry Canada facilities; and
• The development, testing and maintenance of Business Continuity plans.

2.2 Objective

The objective of the audit was to provide assurance that Industry Canada complies with relevant physical security legislation, policies, directives and procedures.

2.3 Scope

The scope of the audit covered current non-IT security aspects of the departmental security program. Business Continuity Planning (BCP) and Information Management (IM) have been defined as out of scope for this audit and will be addressed in future audits.

For the purposes of this audit, physical security is defined as all elements of the Government Security Policy that support the Government of Canada's business objectives by safeguarding employees and assets.

2.4 Methodology

This internal audit of Physical Security was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the Federal Government Policy on Internal Audit. The audit fieldwork was completed between December 2008 and March 2009. The audit work consisted of examination of documents, interviews of key individuals and a review of relevant polices and procedures. Specifically, the following activities were undertaken by the audit team:

• Examination of Industry Canada's compliance with the GSP and DSP;
• Interviews with key managers in the SSD and Regional Security Representatives (RSRs);
• Review of Documentation including: security services plans and priorities, SSD organizational chart, security services workplans, and RCMP technical guidelines;
• Examination of Comptrollership and Administration Sector (CAS) Strategic Human Resources Plan;
• Testing of follow-ups to Threat and Risk Assessments in headquarters and regions.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the department wide Audit of Physical Security. Findings are based on the evidence and analysis from both the planning and the detailed audit conduct performed.

The security training and awareness program developed by the Security Services Directorate is well received by all IC employees.

3.2 Governance

Finding 1.0: Roles and Responsibilities of Regional Security Representatives (RSRs) are not clearly defined

Clear and comprehensive work descriptions are required for employees to understand their accountabilities.

A sample of 10 regional work descriptions was examined by the audit team. It was found that work descriptions of RSRs do not clearly describe their security responsibilities and competencies. Security related responsibilities are spread throughout work descriptions and are not stated in a clear and comprehensive manner.

The roles and responsibilities of RSRs regarding threat and risk assessments are not clear. Undefined roles and responsibilities may result in lower implementation rates for TRA recommendations. This could create an environment that may increase risks to Industry Canada's assets and employees.

The absence of clear and comprehensive work descriptions makes it difficult for RSRs to understand their security related responsibilities.

Recommendation 1.0:

The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that work descriptions of Regional Security Representatives are reviewed to include specific security responsibilities.

Finding 2.0: Lack of communication between regional offices exists

Open and regular communication is required to exchange information, address issues and share knowledge. An organizational structure that permits clear lines of communication and reporting will foster sufficient information exchange and create learning opportunities.

Through interviews with RSRs it was found that monthly meetings have been requested to share security knowledge among regional offices and headquarters. Although SSD is available to answer questions and address concerns, formal meetings are not held.

Monthly or quarterly meetings would provide a forum to address common issues and create synergies. Shared discussion would also increase the knowledge of regional representatives, many of whom are new to their positions.

Recommendation 2.0:

The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that regular meetings (either in person or through conference call) involving all Regional Security Representatives be conducted to identify issues and share information.

3.3 Internal Control

Finding 3.0: Resource and competency needs are not defined

The CAS Strategic Human Resources Plan includes an analysis of current and future SSD resource and competency needs. This ensures that SSD is able to meet both current and future capacity needs and comply with GSP and DSP requirements.

The review of the 2008–2009 Strategic Human Resources plan did not show an analysis of security resource and competency requirements. The plan discussed succession planning at a strategic level but did not provide any analysis to security resource and competency needs.

Compliance with the current GSP and DSP may not be sustainable if required resources are not identified. Additionally, resource requirements for the new Policy on Government Security must be identified and addressed.

Recommendation 3.0:

The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that planning of security resources include an analysis of requirements and competencies and are reflected in the CAS Strategic Human Resources Plan.

Finding 4.0: No formal regional security training plans exist

Section 10.5 of the Government Security Policy requires that individuals who have specific security duties receive appropriate, up to date training. Comprehensive training plans are necessary to build future capacity and ensure that employees have the necessary skills to complete day to day activities.

The audit team found that comprehensive training plans were not present in regions. Interviews of RSRs indicated that additional training programs from SSD would be helpful in fulfilling security responsibilities.

Insufficient training plans may lead to capacity shortfalls and this may create difficulty in complying with security requirements in future periods.

Recommendation 4.0:

The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that a more comprehensive training plan be developed for RSRs.

3.4 Risk Management

Finding 5.0: Threat and Risk Assessment (TRA) recommendations are not followed up

Section 10.7 of the Government Security Policy states that departments must continuously monitor for any change in the threat environment and make any adjustment necessary to maintain an acceptable level of risk and a balance between operational needs and security.

In order for a TRA to be effective, action must be taken to implement security measures recommended by security analysts. Management must take steps to ensure TRA recommendations are appropriately followed up and action is taken on recommendations in a timely manner.

Interviews revealed that RSRs roles and responsibilities are not clear with regards to implementing TRA recommendations. Regionally, of 99 TRA recommendations tested, 30, or 30%, were found as not implemented. At headquarters, of 24 recommendations tested, 3, or 11% were found as not implemented.

Unimplemented TRA recommendations could leave Industry Canada employees and assets at risk.

Recommendation 5.0:

The Director General, Procurement, Stewardship and Security, in consultation with the Departmental Security Officer (DSO), should ensure that a management response be required after each TRA to monitor implementation of TRA recommendations.

Appendix A – Detailed Audit Criteria

Governance

• Responsibilities and performance expectations to which managers and supervisors are held accountable are formally defined (based on operational/strategic objectives, realistic) and clearly communicated. Employees' duties and responsibilities are clearly defined.
• Authority is formally delegated and delegated authority is aligned with the individuals' responsibilities.
• A formal system is in place to formally acknowledge understanding and acceptance of accountabilities.
• Supervisory personnel meet periodically with employees to review job performance and suggestions for improvement.
• The organizational structure is up-to-date and widely communicated.
• The organizational structure permits clear and effective lines of communication and reporting (e.g. established reporting relationships – formal or informal, direct or indirect, provided managers information appropriate to their responsibilities and authority.
• Managerial spans of control are appropriate.
• Functional authority is appropriately vested in and exercised by functional heads.

Internal Control

• HR planning and strategic and/or business planning are clearly aligned (e.g. Strategic and business plans reference HR requirements).
• An HR Plan is documented and communicated and includes the following elements:
  1. Analysis of current and future resource and competency needs
  2. Analysis of key positions and succession planning; and Training and development plan.
• A comprehensive training and development plan exists and is comprised of the following key elements:
  1. An identification of competency/capacity requirements;
  2. An analysis of current knowledge complement against competency/capacity requirements (needs analysis);
  3. Training and development plans that are aligned with the business plan; and (tested in PPL-1); and
  4. Actions and priorities, and related roles and responsibilities.
• Employees have access to sufficient tools, such as, software, equipment, work methodologies and standard operating procedures.
• Key positions and activities have been identified and sufficient back-up exists.
• Training and development plans are resourced and actioned.
• An information sharing process exists to support the efficient and targeted dissemination of relevant and reliable information to those that need it.
  1. The processes in place adhere to relevant legislative and regulatory requirements and TBS policies, and are in line with organization's values, ethics and codes of conduct;
  2. The processes are understood and are complied with.
• For services delivered by third parties, management has implemented a program to monitor their activities.

Risk Management

• Residual risk exposure is examined against established risk tolerances by the level of management responsible for the risk.
• A formal response (e.g., avoid, mitigate or accept) to the risk is documented and communicated to all necessary parties.
• Action plans are put in place to manage or treat risks that are deemed by management to be unacceptable. Action plans include:
• Specific mitigation measures;
• The timeline during which the measures will be applied; and
• The owner of each action.