Archived - Audit of the Security Program - Follow-up Report Status Update as of September 30, 2010

• In consultation with other federal departments, develop a Statement of roles and responsibilities to be incorporated in the Departmental Security Policy.

Update/Rationale:
As of 30/09/2010:

On Sept 10th 2010, DSO sent an email to all Sector Managers requesting them to invite him to a management meeting in order to make a presentation on the audit results and recommendation to seek their support and to better serve them. Presentation is focused on Rec no 4 (appointment of Sector Security Coordinators (SSC). To date presentations were made to three sectors.

AES: Underway

• Present the draft to ADMs, RDGs and security practitioners for their review and comments.

• Implement the Statement of roles and responsibilities.

• Review, identify and prioritize gaps in the existing procedures.

Update/Rationale:
As of 30/09/2010:

Sept 2010: SOHSD identified existing and non-existing departmental policies, guidelines and procedures (total: 26) and prepared a timeline for the review and the update of same. Due to limited resources, priority will be given to the preparation of the Statement of Roles and Responsibilities, more specifically for the Sector Security Coordinators (SSC) to be incorporated in the Departmental Security Policy as per recommendation no. 1.

AES: Underway

• Update existing procedures and develop new ones to be included in the Security Management Framework.

• Communicate updated procedures to those who need them.

• To ensure their engagement towards the security program in their respective region.
• To refocus the Regional Security Officers (RSOs) responsibilities to ensure sufficient time for security duties.
• To ensure that RSOs undergo mandatory training related to their duties.
• To ensure that the security awareness program is active in their respective region.

Update/Rationale:
As of 30/09/2010:

During the week of September 20th 2010: DSO was in Winnipeg and the week of Oct 4th 2010 in Iqaluit to make a presentation on the security program and the results of the audit to the Senior Managers of the Manitoba and Nunavut Regions to ensure their continuous engagement towards the security program. DSO and support staff hosted the National RSO / SSO's workshop in Winnipeg where training was provided as well.

DSO scheduled a 5 day security training for RSOs in March 2011.

RSOs will be approached to actively participate to this year's Security Awareness Week scheduled for February 2011. They will be provided with material, strategies and promotional items to ensure the success of that awareness campaign in their respective regions.

The RSOs roles and responsibilities are currently being revised and will be presented to RDGs and ADMs with regional responsibilities for approval.

AES: Underway

Update/Rationale:
As of 30/09/2010:

On Sept 10th 2010, DSO sent an email to all Sector Managers requesting them to invite him to a management meeting in order to make a presentation on the audit results and recommendation to seek their support and to better serve them. Presentation is focused on Rec no 4 (appointment of Sector Security Coordinators. To date presentations were made to three sectors.

The topic of the importance of appointing Sector Security Coordinator will be covered. To date, one sector has appointed a DG to be the champion of security and six sectors have appointed a Sector Security Coordinator.

AES: Underway

• To integrate this action plan in the strategic plan.
• To include departmental security objectives, resource requirements, priorities and timelines.
• To include a prioritization of the TRAs nationwide in a 5 year cycle.

Update/Rationale:
As of 30/09/2010:

On June 25th 2010, TBS issued Guidelines for the Development of Departmental Security Plan to support the policy requirement of the Policy on Government Security.

In September 2010, DG HRWSMC hired a contractor to develop an annual plan.

Further to the guidelines received in June 2010, the Management Response / Actions are being amended to reflect the requirements.

INAC actively participates in the interdepartmental committee established by TBS to develop the Security Performance Measurement Framework. This will assist in better positioning Security within the federal government (i.e. MAF, Departmental Rish Management Reports...) and align the key performance indicators for the development of the Annual Security Plan. Committee results are expected in April 2011.

AES: Underway

DSO to request regional input to extend beyond NCR the collection of additional statistical data.

Note: Since October 2009, at the DSO's request, regions are providing statistical data on incident reports, sweeps and TRAs which are compiled for trend analysis purposes.

Update/Rationale:
As of 30/09/2010:

RSOs continue to send statistical data to SOHSD. On Aug 11th 2010, presented to Associated DM data collected from all regions in reference to security screening and contracts, awareness sessions, security incident reports, sweeps and access cards.

During the week of September 20th 2010: DSO was in Winnipeg and during the week of Oct 4th 2010 in Iqaluit to make a presentation on the security program and the results of the audit to the Senior Managers of the Manitoba and Nunavut Regions to ensure their continuous engagement towards the security program. In Winnipeg DSO and support staff hosted the National RSO / SSO's workshop where this recommendation was addressed and discussed.

HRWSB created a Monitoring and Compliance unit who will assist Security in developing a strategy for the review of the security files.

AES: Underway

• RSOs to address known risks and to report to DSO.

• DSO to conduct trend analysis from information obtained nationwide.

• DSO to conduct annual regional and sector visits.

• DSO to report performance data to HRWSMC

• To staff the security training and awareness position

Update/Rationale:
As of 30/09/2010:

(SOHSD is planning on staffing the security training and awareness position this fiscal year. Objectives will be established according to the departmental priorities)

In August 2010, DSO sent to all Sector Managers to inform of new procedures to mark and safeguard IT Media. Included in the communication was a red tag marked secret to be attached to USB keys that contain secret information.

RSOs will be approached by DSO to actively participate to this year's Security Awareness Week scheduled for February 2011. They will be provided with material, strategies and promotional items to ensure the success of that awareness campaign in their respective regions

AES: Underway

• To review existing awareness material.

• To identify gaps with the existing awareness program

• In synch with Actions described in #3, to review awareness presentations including speaking notes for the RSOs use.

• To obtain feedback from the RSOs for analysis and improvement purposes.

• To ensure added focus is placed on classification, handling and disposal of information, as well as requirements for security in contracting (completion of SRCLs).

• To produce an online security awareness training session.

• Agree and develop a strategy to transfer all direct involvement in the review of security requirements, approval of Security Requirement

Update/Rationale:
As of 30/09/2010:

DSO consulted with ten other DSOs as well as 25 PWGSC working committee members in reference to security in contracting and it was clear and concise that in the majority of the departments, it is not normal procedures for procurement officers to approve security requirements and security clauses, it is corporate security's duty and business to do so.

On September 14th 2010, DSO and DG Corporate Accounting & Material Management discussed this recommendation and both did not concur with part of it due to the above noted findings.

Prior to the audit, DSO and the Director of Material and Assets Management Division had already revised existing procedures and developed new ones for the completion and review of SRCLs and inclusion of security clauses in contracts. The procedures are on the draft mode and will consider to include the Sector Security Coordinators in the process mapping once their roles and responsibilities are approved.

In view of the above, DSO amended the Management Response / Actions to remove "DSO to consult with the CFO to agree and develop strategy to transfer all direct involvement in the review and approval of security requirements (to procurement officers)."

October 7, 2010, the DG of HRWSB approved the DSO's recommendation to create a one-stop shop for contracts with security requirements. To do so, the DSO is planning on:

Communicate strategy to senior management in December 2010; Organize a training workshop with procurement officers and security in contracting officers; Implement new process by April 2011.

AES: Underway

• Revise existing procedures and to develop new ones for the completion and review of SRCLs and inclusion of security clauses in contracts.
• To develop training modules for RCMs and contracting administrators for the management of the SRCL process.
• To develop training modules for Security Officers responsible for compliance of contract security requirements.

DSO:

• To increase focus on monitoring the effectiveness of security in contracting processes.

CFO:

• To identify a contracting officer(s) to review and to process SRCL forms and to liaise with SOHSD.

Note: Checklists and security clauses include this shared activity (DSO/CFO) in the Statement of Roles and Responsibilities as per recommendation no 1.