ARCHIVED - Audit of Security - Follow-up Report Status Update as of March 31, 2012

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (45 Kb, 8 Pages)

 

 

Action Plan Implementation Status Update Report to the Audit Committee - As of March 31, 2012

Human Resources and Workplace Services - Security and Occupational Health and Safety Division (SOHSD)

Audit of Security (Project 09/79)
Approval Date: May 14, 2010

Project
Recommendations
Action Plan Expected
Completion Date
Program
Response
1. The DSO should update the departmental security policy to more clearly communicate the existing security related roles, responsibilities and accountabilities of the Departmental Security Officer, ADMs, RDGs, security practitioners, contracting staff, line managers and employees.
  • SOHSD will:

    • In consultation with other federal departments, develop a Statement of roles and responsibilities to be incorporated in the Departmental Security Policy.
2010-DEC Status: Underway

Update/rationale:

As of 31/03/2012: The Departmental Security Plan determined the need for a comparative study to ensure AANDC has the proper structure and resources in place. This study is to be completed by March 31, 2012. The results of this study are required to complete the Statement of Roles and Responsibilities.

AES: Recommendation is closed.
  • Present the draft to ADMs, RDGs and security practitioners for their review and comments.
2010-DEC
  • Implement the Statement of roles and responsibilities.
2011-JUN
2. The DSO should further develop and communicate procedures and guidance to support implementation of the departmental security program in regions and sectors (e.g., procedures for lock-up at end of day, guidance on what to look for when conducting a security sweep, trainers materials for delivering security awareness activities and guidance on how to establish and maintain physical security zones).
  • SOHSD will:

    • Review, identify and prioritize gaps in the existing procedures.

  • Pending HR and Financial resources, expertise and new Policy on Government Security Standards, SOHSD will:
2011-MAR Status:

Update/Rationale:
As of 31/03/2011:

To date SOHSD has developed and revised the following:

1) Development and implementation of the Guideline on Protecting and Handling Information

2) Development and implementation of a new procedure for Security in Contracting

3) Development of a guideline on security of information when temporarily working outside the workplace or in transit

4) Development and implementation of new security screening procedures for managers

5) Development of security sweep procedures and tools

6) Development and implementation of roles and responsibilities for Sector Security Coordinators entitled Sector Security Coordinator Handbook.

AES: Fully implemented. The recommendation has been closed.
  • Update existing procedures and develop new ones to be included in the Security Management Framework.
2012-MAR
  • Communicate updated procedures to those who need them.
2012-MAR
3. The ADMs responsible for regional staff and operations should work with the DSO to ensure that sufficient attention and resources are devoted to security in regions, including ensuring that RSOs have sufficient time to perform their security-related duties.
  • Following recommendation no 1, DSO to obtain buy-in from ADMs responsible for regional staff and operations:

    • To ensure their engagement towards the security program in their respective region.

    • To refocus the Regional Security Officers (RSOs) responsibilities to ensure sufficient time for security duties.

    • To ensure that RSOs undergo mandatory training related to their duties.

    • To ensure that the security awareness program is active in their respective region.
2011-MAR Status:


Update/Rationale:
As of 31/03/2011:

During the week of December 6, 2010: The DSO visited the Quebec region to make a presentation on the security program and the results of the audit to the Senior Managers to ensure their continuous engagement towards the security program.

The DSO also discussed with the ADMs responsible for the Southern and Northern regions the regional engagement towards the security program. This was also discussed during the presentation to the HRWSMC on Departmental Security Plan.

This will be assessed as part of the 3 year strategy of the Departmental Security Plan.

During the week of March 7 to 11, 2011, the annual training session for RSO and SSC was held in the NCR region. A total of 25 participants attended from across the Department.

The DSO is in contact with the RSOs to provide statistical data in regards to inspections, awareness sessions and incident.

AES: Fully implemented. The recommendation has been closed.
4. AANDC should consider appointing Sector Security Officers in all sectors to support implementation of the security program, similar to the Regional Security Officer role. The responsibilities attached to this role and associated level of effort should be presented to AANDC Senior Management when the departmental security policy is next updated.
  • Define role and responsibilities for Sector Security Officer as per Recommendation # 1, and determine the associated level of effort the position will require.
2010-DEC Status:

Update/Rationale:
As of 31/03/2011:

The roles and responsibilities for Sector Security Coordinators (SSC) were defined and presented to all sector representatives on January 19, 2011. Comments were received and another session was held on February 9, 2011 to review amendments.

Following request from DSO to seek support from Senior Management (presented in 12 sectors) for the introduction of the Sector Security coordinator role, several SSCs have been appointed.

The Sector Security Coordinator Handbook will be distributed to all sector managers, sector security coordinators and their supervisors.

This new role will be officially introduced in one sector as a pilot project starting April 1, 2011. This sector will be asked to come back to the SSC table within 6 to 8 months to provide feedback on the advantages and issues noticed during that period.

AES: Fully implemented. The recommendation has been closed.
  • DSO to seek approval from Senior Management for the introduction of the Sector Security Officer role.
2011-MAR
5. The DSO should develop a strategically focused departmental security plan that outlines departmental security objectives and priorities, resource requirements, timelines for meeting baseline government security requirements, and plans for updating all required Threat and Risk Assessments (TRAs) over a five-year cycle.
  • DSO will develop a 3 year Departmental Security plan as per the Policy on Government Security:

    • To include departmental security strategies, objectives, resource requirements, priorities and timelines.

    • To include a prioritization of the TRAs nationwide in a 5 year cycle.

2010-AUG Status: Underway

Update/Rationale:
As of 30/09/2011:

Item a) has been completed

Item a) - The DM and ADM approved and signed the Annual Security Plan in June 2011

Item b) - SOHSD is coordinating with all regions the five year TRA cycle for each facility.

Currently developing a condensed TRA template.

AES: Substantially implemented. The recommendation will be closed once the nationwide TRA cycle has been finalized and incorporated into the Departmental Security Plan.
6. The DSO should improve monitoring of the effectiveness of the security program in regions and sectors to support its continuous improvement (e.g. tracking implementation of recommendations from TRAs, performing random spot checks of security in contracting controls, tracking issues raised in security sweeps to ensure their timely resolution, and performing annual on-site visits to support security practitioners in regions and sectors).
  • Implementation of recommendation no 3 will include specific reporting requirements.
2011-APR Status: Request to be closed (Completed)

Update/Rationale:
As of 30/09/2011:

DSO visited Yukon region in June 2011.

AES: Fully implemented. The recommendation has been closed.
  • DSO to request regional input to extend beyond NCR the collection of additional statistical data.
2011-MAY
  • Note: Since October 2009, at the DSOs request, regions are providing statistical data on incident reports, sweeps and TRAs which are compiled for trend analysis purposes.
2011-MAR
  • RSOs to address known risks and to report to DSO.

  • DSO to conduct trend analysis from information obtained nationwide.

  • DSO to conduct annual regional and sector visits.

  • DSO to report performance data to HRWSMC
2011-JUN
7. The DSO should further develop the security awareness program to extend its reach to regional staff and improve coverage of information safeguarding and security in contracting requirements.
  • SOHSD:

    • To staff the security training and awareness position
2011-MAR Status:

Update/Rationale:
As of 31/03/2011:

The security training and awareness position will be staffed on April 4, 2011. One of the priorities will be to review existing awareness material and identify gaps with the existing awareness program.

SOHSD developed and implemented the Guideline on Protecting and Handling Information.

A prepared training package was also delivered to RSOs.

AES: Fully implemented. The recommendation has been closed.
  • To review existing awareness material.
2011-JUN
  • To identify gaps with the existing awareness program
2011-JUN
  • In synch with Actions described in #3, to review awareness presentations including speaking notes for the RSOs use.
2011-JUN
  • To obtain feedback from the RSOs for analysis and improvement purposes.
2011-JUN
  • To ensure added focus is placed on classification, handling and disposal of information, as well as requirements for security in contracting (completion of SRCLs).
2011-DEC
  • To produce an online security awareness training session.
2011-DEC
8. The DSO should increase focus on monitoring the effectiveness of security in contracting processes and reduce its direct involvement in the review of Security Requirements Checklists and contract clauses. To accomplish this, an organizational and functional review of the security in contracting function is required to ensure that sufficiently trained and competent contracting officers review and approve security requirements and security clauses. Furthermore, a comprehensive and effective security in contracting compliance monitoring and reporting program is required to ensure compliance is achieved and maintained across the department.
  • DSO to consult with the CFO to:

    • Revise existing procedures and to develop new ones for the completion and review of SRCLs and inclusion of security clauses in contracts.
2010-SEP Status: Request to be closed (Completed)

Update/Rationale:
As of 30/09/2011:

Completed as of March 2011

AES: Fully implemented. The recommendation will be closed.
  • To develop training modules for RCMs and contracting administrators for the management of the SRCL process.

  • To develop training modules for Security Officers responsible for compliance of contract security requirements.

  • DSO:

    • To increase focus on monitoring the effectiveness of security in contracting processes.

  • CFO:

    • To identify contracting officers to review and to process SRCL forms and to liaise with SOHSD.
Note: Checklists and security clauses include this shared activity (DSO/CFO) in the Statement of Roles and Responsibilities as per recommendation no 1.
2011-MAR
 
 
Date modified: