ARCHIVED - Audit of the Security Program - Follow-up Report Status Update as of September 30, 2010

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (49 Kb, 7 Pages)

 

 

Action Plan Implementation Status Update Report To The Audit Committee - As of September 30, 2010

Human Resources and Workplace Services - Security and Occupational Health and Safety Division (SOHSD)

Audit of Security (Project 09/79)
AEC Approval Date: May 14, 2010

Project Recommendations Action Plan Expected Completion Date Program Response
1. The DSO should update the departmental security policy to more clearly communicate the existing security related roles, responsibilities and accountabilities of the Departmental Security Officer, ADMs, RDGs, security practitioners, contracting staff, line managers and employees. SOHSD will:
  • In consultation with other federal departments, develop a Statement of roles and responsibilities to be incorporated in the Departmental Security Policy.
2010-DEC Status: In Progress

Update/Rationale:
As of 30/09/2010:

On Sept 10th 2010, DSO sent an email to all Sector Managers requesting them to invite him to a management meeting in order to make a presentation on the audit results and recommendation to seek their support and to better serve them. Presentation is focused on Rec no 4 (appointment of Sector Security Coordinators (SSC). To date presentations were made to three sectors.

AES: Underway

  • Present the draft to ADMs, RDGs and security practitioners for their review and comments.
2010-DEC
  • Implement the Statement of roles and responsibilities.
2011-JUN
2. The DSO should further develop and communicate procedures and guidance to support implementation of the departmental security program in regions and sectors (e.g., procedures for lock-up at end of day, guidance on what to look for when conducting a security sweep, trainer's materials for delivering security awareness activities and guidance on how to establish and maintain physical security zones). SOHSD will:
  • Review, identify and prioritize gaps in the existing procedures.
2011-MAR Status: In Progress

Update/Rationale:
As of 30/09/2010:

Sept 2010: SOHSD identified existing and non-existing departmental policies, guidelines and procedures (total: 26) and prepared a timeline for the review and the update of same. Due to limited resources, priority will be given to the preparation of the Statement of Roles and Responsibilities, more specifically for the Sector Security Coordinators (SSC) to be incorporated in the Departmental Security Policy as per recommendation no. 1.

AES: Underway

Pending HR and Financial resources, expertise and new PGS Standards, SOHSD will:
  • Update existing procedures and develop new ones to be included in the Security Management Framework.
2012-MAR
  • Communicate updated procedures to those who need them.
2012-MAR
3. The ADMs responsible for regional staff and operations should work with the DSO to ensure that sufficient attention and resources are devoted to security in regions, including ensuring that RSOs have sufficient time to perform their security-related duties. Following recommendation no 1, DSO to obtain buy-in from ADMs responsible for regional staff and operations:
  • To ensure their engagement towards the security program in their respective region.
  • To refocus the Regional Security Officers (RSOs) responsibilities to ensure sufficient time for security duties.
  • To ensure that RSOs undergo mandatory training related to their duties.
  • To ensure that the security awareness program is active in their respective region.
2011-MAR Status: In Progress

Update/Rationale:
As of 30/09/2010:

During the week of September 20th 2010: DSO was in Winnipeg and the week of Oct 4th 2010 in Iqaluit to make a presentation on the security program and the results of the audit to the Senior Managers of the Manitoba and Nunavut Regions to ensure their continuous engagement towards the security program. DSO and support staff hosted the National RSO / SSO's workshop in Winnipeg where training was provided as well.

DSO scheduled a 5 day security training for RSOs in March 2011.

RSOs will be approached to actively participate to this year's Security Awareness Week scheduled for February 2011. They will be provided with material, strategies and promotional items to ensure the success of that awareness campaign in their respective regions.

The RSOs roles and responsibilities are currently being revised and will be presented to RDGs and ADMs with regional responsibilities for approval.

AES: Underway

4. INAC should consider appointing Sector Security Officers in all sectors to support implementation of the security program, similar to the Regional Security Officer role. The responsibilities attached to this role and associated level of effort should be presented to INAC Senior Management when the departmental security policy is next updated. Define role and responsibilities for Sector Security Officer as per Recommendation # 1, and determine the associated level of effort the position will require. 2010-DEC Status: In Progress

Update/Rationale:
As of 30/09/2010:

On Sept 10th 2010, DSO sent an email to all Sector Managers requesting them to invite him to a management meeting in order to make a presentation on the audit results and recommendation to seek their support and to better serve them. Presentation is focused on Rec no 4 (appointment of Sector Security Coordinators. To date presentations were made to three sectors.

The topic of the importance of appointing Sector Security Coordinator will be covered. To date, one sector has appointed a DG to be the champion of security and six sectors have appointed a Sector Security Coordinator.

AES: Underway

DSO to seek approval from Senior Management for the introduction of the Sector Security Officer role. 2011-MAR
5. The DSO should develop a strategically focused departmental security plan that outlines departmental security objectives and priorities, resource requirements, timelines for meeting baseline government security requirements, and plans for updating all required Threat and Risk Assessments (TRAs) over a five-year cycle. DSO will develop a 3 year strategic plan:
  • To integrate this action plan in the strategic plan.
  • To include departmental security objectives, resource requirements, priorities and timelines.
  • To include a prioritization of the TRAs nationwide in a 5 year cycle.
2010-AUG Status: In Progress

Update/Rationale:
As of 30/09/2010:

On June 25th 2010, TBS issued Guidelines for the Development of Departmental Security Plan to support the policy requirement of the Policy on Government Security.

In September 2010, DG HRWSMC hired a contractor to develop an annual plan.

Further to the guidelines received in June 2010, the Management Response / Actions are being amended to reflect the requirements.

INAC actively participates in the interdepartmental committee established by TBS to develop the Security Performance Measurement Framework. This will assist in better positioning Security within the federal government (i.e. MAF, Departmental Rish Management Reports...) and align the key performance indicators for the development of the Annual Security Plan. Committee results are expected in April 2011.

AES: Underway

DSO to develop annual plan for FY 2011-12 as per Policy on Government Security. 2011-MAR
6. The DSO should improve monitoring of the effectiveness of the security program in regions and sectors to support its continuous improvement (e.g. tracking implementation of recommendations from TRAs, performing random spot checks of security in contracting controls, tracking issues raised in security sweeps to ensure their timely resolution, and performing annual on-site visits to support security practitioners in regions and sectors). Implementation of recommendation no 3 will include specific reporting requirements.

DSO to request regional input to extend beyond NCR the collection of additional statistical data.

Note: Since October 2009, at the DSO's request, regions are providing statistical data on incident reports, sweeps and TRAs which are compiled for trend analysis purposes.

  Status: In Progress

Update/Rationale:
As of 30/09/2010:

RSOs continue to send statistical data to SOHSD. On Aug 11th 2010, presented to Associated DM data collected from all regions in reference to security screening and contracts, awareness sessions, security incident reports, sweeps and access cards.

During the week of September 20th 2010: DSO was in Winnipeg and during the week of Oct 4th 2010 in Iqaluit to make a presentation on the security program and the results of the audit to the Senior Managers of the Manitoba and Nunavut Regions to ensure their continuous engagement towards the security program. In Winnipeg DSO and support staff hosted the National RSO / SSO's workshop where this recommendation was addressed and discussed.

HRWSB created a Monitoring and Compliance unit who will assist Security in developing a strategy for the review of the security files.

AES: Underway

  • RSOs to address known risks and to report to DSO.
2011-APR
  • DSO to conduct trend analysis from information obtained nationwide.
2011-MAY
  • DSO to conduct annual regional and sector visits.
2011-MAR
  • DSO to report performance data to HRWSMC
2011-JUN
7. The DSO should further develop the security awareness program to extend its reach to regional staff and improve coverage of information safeguarding and security in contracting requirements. SOHSD:
  • To staff the security training and awareness position
2011-MAR Status: In Progress

Update/Rationale:
As of 30/09/2010:

(SOHSD is planning on staffing the security training and awareness position this fiscal year. Objectives will be established according to the departmental priorities)

In August 2010, DSO sent to all Sector Managers to inform of new procedures to mark and safeguard IT Media. Included in the communication was a red tag marked secret to be attached to USB keys that contain secret information.

RSOs will be approached by DSO to actively participate to this year's Security Awareness Week scheduled for February 2011. They will be provided with material, strategies and promotional items to ensure the success of that awareness campaign in their respective regions

AES: Underway

  • To review existing awareness material.
2011-JUN
  • To identify gaps with the existing awareness program
2011-JUN
  • In synch with Actions described in #3, to review awareness presentations including speaking notes for the RSOs use.
2011-JUN
  • To obtain feedback from the RSOs for analysis and improvement purposes.
2011-JUN
  • To ensure added focus is placed on classification, handling and disposal of information, as well as requirements for security in contracting (completion of SRCLs).
2011-DEC
  • To produce an online security awareness training session.
2011-DEC
8. The DSO should increase focus on monitoring the effectiveness of security in contracting processes and reduce its direct involvement in the review of Security Requirements Checklists and contract clauses. To accomplish this, an organizational and functional review of the security in contracting function is required to ensure that sufficiently trained and competent contracting officers review and approve security requirements and security clauses. Furthermore, a comprehensive and effective security in contracting compliance monitoring and reporting program is required to ensure compliance is achieved and maintained across the department. DSO to consult with the CFO to:
  • Agree and develop a strategy to transfer all direct involvement in the review of security requirements, approval of Security Requirement
2010-SEP Status: In Progress

Update/Rationale:
As of 30/09/2010:

DSO consulted with ten other DSOs as well as 25 PWGSC working committee members in reference to security in contracting and it was clear and concise that in the majority of the departments, it is not normal procedures for procurement officers to approve security requirements and security clauses, it is corporate security's duty and business to do so.

On September 14th 2010, DSO and DG Corporate Accounting & Material Management discussed this recommendation and both did not concur with part of it due to the above noted findings.

Prior to the audit, DSO and the Director of Material and Assets Management Division had already revised existing procedures and developed new ones for the completion and review of SRCLs and inclusion of security clauses in contracts. The procedures are on the draft mode and will consider to include the Sector Security Coordinators in the process mapping once their roles and responsibilities are approved.

In view of the above, DSO amended the Management Response / Actions to remove "DSO to consult with the CFO to agree and develop strategy to transfer all direct involvement in the review and approval of security requirements (to procurement officers)."

October 7, 2010, the DG of HRWSB approved the DSO's recommendation to create a one-stop shop for contracts with security requirements. To do so, the DSO is planning on:

Communicate strategy to senior management in December 2010; Organize a training workshop with procurement officers and security in contracting officers; Implement new process by April 2011.

AES: Underway

  • Revise existing procedures and to develop new ones for the completion and review of SRCLs and inclusion of security clauses in contracts.
  • To develop training modules for RCMs and contracting administrators for the management of the SRCL process.
  • To develop training modules for Security Officers responsible for compliance of contract security requirements.

DSO:

  • To increase focus on monitoring the effectiveness of security in contracting processes.

CFO:

  • To identify a contracting officer(s) to review and to process SRCL forms and to liaise with SOHSD.

Note: Checklists and security clauses include this shared activity (DSO/CFO) in the Statement of Roles and Responsibilities as per recommendation no 1.

2011-MAR
 
 
Date modified: