Audit of Physical Security

September 16, 2010

Audit Key Steps

Opening conference date (launch memo) / May 2009
Audit plan sent to management date / November 2009
Closing conference date (exit debrief) / July 2010
Audit report sent to management date / August 2010
Management response received date / September 2010
Penultimate draft report approved by CAE date / September 2010
Audit committee recommended date / October 2010
Deputy Minister approval date / March 2011

List of Abbreviations:

ACEMD / Assets, Contracting and Environmental Management Directorate
ALM / Asset Lifecycle management
CCIW / Canada Centre for Inland Waters
CMC / Canadian Meteorological Centre
DDSM / Directives and Departmental Security Management
DSD / Departmental Security Division
DSO / Departmental Security Officer
EC / Environment Canada
FY / Fiscal Year
GSP / Government Security Policy
ID / Identification Card
IM & IT / Information management and information technology
MAF / Management Accountability Framework
NCR / National Capital Region
OCG / Office of the Comptroller General
OSH / Occupational Safety and Health
PGS / Policy on Government Security
RCMP / Royal Canadian Mounted Police
RSO / Regional Security Officer
SOS / Struck off strength
TB / Treasury Board of Canada
TBS / Treasury Board Secretariat
TRA / Threat and Risk Assessment

Prepared by the Audit and Evaluation Team

Acknowledgments

The audit team comprised of Ariane Laurence-Rouleau and Stella Line Cousineau, under the direction of Jean Leclerc, would like to thank those individuals who contributed to this project and, particularly, employees who provided insights and comments as part of this audit.

Table of Contents

1 Purpose i

2 Background i

3 Objectives and Scope i

4 Methodology iii

5 Statement of Assurance iv

6 Audit Opinion iv

7 Recommendations iv

8 Management Response v

Annex 1 Audit Criteria 7

Annex 2 List of Background Information and Supporting Documentation 8

Annex 3 Management Action Plan 9

Audit of Physical Security

This is an abbreviated version of the audit report as the release of the information contained in the full version of the report may represent apotentialthreat and risk to the security of Environment Canada.

1  Purpose

The Audit of the Physical Security was identified in the 2009–2012 Risk-Based Audit and Evaluation Plan, which was approved by the Deputy Minister on July 28, 2009.

2  Background

The Policy on Government Security defines Government security as “the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence.”

Back in February 2002,the Treasury Board of Canada(TBC)issued a revitalized Government Security Policy (GSP) in response to the increased threat implied by the events of September 11th, 2001. This policy was supported by a number of directives and standards providing guidance on its application. As required by this policy, Environment Canada (EC) appointed a Departmental Security Officer (DSO) and revisited the governance structure surrounding security. The GSP was replaced in July 2009 by a new Policy on Government Security (PGS). At the same time a Directive on Identity Management and a Directive on Departmental Security Management were also issued. While the policy took effect in July 2009, the departments have until July 2012 to comply with the sections related to the development and implementation of a Departmental Security Plan. Some tools to support the development of the key requirements of these new documents have already been issued. This is the case of the Treasury Board Guideline on Developing a Departmental Security Plan, issued in June 2010 and a completely restructured Management Accountability Framework (MAF) Line of Evidence 19, Security. Other tools, such as a Government of Canada Security Performance Measurement Framework, have only begun development and are not expected to be issued in this fiscal year. The DSO is supported by a staff of 25 including security support in the regions.

EC owns over 788M$ in tangible capital assets, and has a workforce of approximately 6800 people with 60% of the workforce located in regions. In addition, the Department holds sensitive information and critical service infrastructures, located in large cities as well as in remote locations.

This information, combined with the fact that the last audit of security was completed in 2000, brought Audit to consider this area as being high risk and thus, included in its risk-based audit plan.

3  Objectives and Scope

The main objective of the audit is to assess the adequacy and effectiveness of EC’s security measures and management controls, through four specific objectives focusing on high-risk areas:

  1. To assess the adequacy of the physical security threat identification and risk management process, with a focus on activities performed at the facility level.
  2. To determine whether roles and responsibilities of all parties involved in departmental physical security are clearly defined, performed by the appropriate party, and cover the span of security activity, as defined by the TB Policy on Government Security;
  3. To determine whether physical access to facilities, classified information and sensitive assets is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access; and
  4. To determine whether employees are aware of and comply with their roles and responsibilities with regard to physical security.

The scope of the audit included all facilities used in EC operations, regardless of the ownership, along with information and assets they contained. It also included all security practitioners, along with employees and managers having general security responsibilities other than Occupational Safety and Health (OSH), as this component was already covered in the Audit of Occupational Safety and Health (2009-2010).

Elements of the management control framework examined included, but was not limited to, policies, processes and procedures, organizational structure, roles and responsibilities, job descriptions, incident reporting system, monitoring, and threat and risk assessments.

At the departmental level, the audit addressed the following Management Accountability Framework (MAF) areas of management:

·  Stewardship (Assets are protected)

·  Risk Management (Management has a documented approach with respect to risk management)

·  People (The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities)

The audit did not include:

·  Classification of information, as this will be considered by the Audit of the Governance of Information Management scheduled for 2010-2011;

·  Protection of EC information shared with other governments and organizations, as this will also be considered by the Audit of the Governance of Information Management schedule for 2010-2011;

·  RCMP’s role in the individual security screening, including the portion dealt with by the Canadian Security Intelligence Service, as the RCMP has its own internal audit organization;

·  Information technology security, as it was recently the subject of the Audit of Information Technology Security and the MAF review. An action plan is being implemented to address the identified issues;

·  Security in contracting, as this was covered in the Audit of the Competitive Procurement Process; and

·  Emergency and business continuity planning, as an Audit of Business Continuity was originally planned for 2010-2011. This audit has since been removed from the audit plan to allow implementation of the Business Continuity Plan.

4  Methodology

The audit was conducted in accordance with the Treasury Board Policy on Internal Audit. The planning phase consisted of interviews and consultation with the auditee, review of information, documents and reports and the development of an audit program and associated tools. Detailed audit criteria are provided in Annex 1.

The examination phase included the following approach:

·  Interviews with security practitioners, program managers and employees;

·  Observations of physical safeguards in different facilities; and

·  Documentation examination and comparative analysis against best practices and guidance provided by lead security agencies.

The sample included fourteen (14) facilities out of 98 identified as working places where at least one employee worked from on a permanent basis. The sample was made on a judgemental basis; therefore,results cannot bestatistically extrapolated to the population. Selection criteria were prioritized and pro-rated based on the following assumptions:

·  Protection of employees is more important than protection of information and tangible assets;

·  Protection of critical services and critical support functions information and tangible assets is more important than protection of other information and tangible assets;

·  Protection of information and sensitive assets is more important than protection of other tangible assets (sensitivity over materiality); and

·  Facilities shared with other organizations are more at risk than facilities for which EC is the only tenant.

These assumptions were discussed andagreed uponbythe Director, Departmental Security Division (DSD) prior to the commencement of the examination phase.

Limitations

Although visited facilities were considered high-risk, Internal Audit was unable to reconcile the lists of facilities provided by the DSD with another source of information, and therefore, could not assess to which extent samplingwas based on acomplete and accurate list of facilities. In addition, Internal Audit concluded thatdata maintained in MERLIN could not effectively be used to track assets to their actual locations, and therefore, could not be used as a starting point for testing. Consequently, the conclusion on physical security of tangible assets is limited to observable assets in visited facilities. One of the key objectives for the current Assets Life Cycle Management (ALM) project being led by Assets, Contracting and Environmental Management Directorate (ACEMD), is to complete an assets count and valuation (capital and non-capital) and incorporate this information into the new extension to MERLIN for life cycle management of assets.

5  Statement of Assurance

This audit has been conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada.

In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions are based on a comparison of the situations as they existed between November 2009 and April 2010, against the audit criteria.

6  Audit Opinion

In our opinion, management controls and security measures were not sufficient to ensure rigorous and documented security risk management pertaining to physical security. In fact, a number of deficiencies were noted in the following areas: threat and risk management, roles and responsibilities, awareness, policies and procedures, and incident management.

7  Summary of Recommendations

The Assistant Deputy Minister, Finance and Corporate Branch, in collaboration with the Chief Information Officer, should:

1.  Continue the implementation of an integrated security threat and risk management methodology.

The Assistant Deputy Minister, Finance and Corporate Branch should:

2.  Clearly define, document and communicate reporting and functional relationships with other administrative functions such as Information Management and Information Technology Security, and Accommodations.

The Assistant Deputy Minister, Finance and Corporate Branch, in collaboration with the Chief Information Officer, should:

3.  Continue to develop and implement a security awareness program

The Assistant Deputy Minister, Finance and Corporate Branch should:

4.  Implement a formalapproach to security policy design and review including :

·  A review of the current tools and references posted on the intranet

·  Continue the development and implementation of departmental direction, standards, guidance and procedures on the control of access.

5.  Strengthen the incident management process

8  Management Response

Management agrees with all recommendations, and a detailed action plan to address the audit recommendations has been developed. See Annex 3

12

Environment Canada

Audit of Physical Security

Annex 1Audit Criteria

Annex 2List of Background Information and Supporting Documentation

Treasury Board Policies, Directives and Standards:

Policy on Government Security

Government Security Policy (Archived 2009-07-06)

Directive on Departmental Security Management

Directive on Losses of Money or Property

Operational Security Standard on Physical Security

Personnel Security Standard

Security Organization and Administration Standard

Royal Canadian Mounted Police – Technical Security Branch Publications:

G1-001 – Security Equipment Guide

G1-005 – Preparation of Physical Security Briefs

G1-006 – Identification Cards / Access Badges

G1-009 - Transport and Transmittal of Protected and Classified Information

G1-024 – Controls of Access

G1-025 – Protection, Detection and Response

G1-026 – Application of Physical Security Zones

Harmonized TRA Methodology

Departmental References:

Department Security Manual on Physical Security

Foreign Visitors Directive – Personnel Security

Interim Reliability Status Directive – Personnel Security

Physical Security Directive (May 2004)

Policy on Write-Off of Materiel

Preamble Note to Managers (Security Briefing)

Quick Reference Guide (Protected/Classified Information)

Security Sweeps Directive

Annex 3Management Action Plan

# / Summary of Recommendations / Management Actions/Activities / Lead / Due Date
1 / The Assistant Deputy Minister, Finance and Corporate Branch, in collaboration with the Chief Information Officer, should continue the implementation of an integrated security threat and risk management methodology. / Agree. The generic requirement for a departmental TRA process has been long recognized and is now an explicit requirement under the new Policy on Government Security. Such a process will be incorporated in the Departmental Security Plan, the development of which is required by TBS before July 2012.
The department is already delivering on this requirement, using a two-track approach. Track 1 activity includes the development of a strategic level departmental security Threat Risk Assessments (TRA). Phase 1 of this TRA, completed in October 2009-February 2010, was based on Assistant Deputy Minister and Director General level interviews and Phase 2 shall be completed in October-December 2010 for senior management review in early 2011.