Archived - Audit of the Security Program - Follow-up Report Status Update as of March 31, 2011

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (42 Kb, 8 Pages)

Action Plan Implementation Status Update Report To The Audit Committee - As of March 31, 2011

Human Resources and Workplace Services - Security and Occupational Health and Safety Division (SOHSD)

Audit of Security (Project 09/79)
AEC Approval Date: May 14, 2010

Project Recommendations	Action Plan	Expected Completion Date	Program Response
1. The DSO should update the departmental security policy to more clearly communicate the existing security related roles, responsibilities and accountabilities of the Departmental Security Officer, ADMs, RDGs, security practitioners, contracting staff, line managers and employees.	SOHSD will: In consultation with other federal departments, develop a Statement of roles and responsibilities to be incorporated in the Departmental Security Policy.	2010-DEC	Status: Update/Rationale: As of 31/03/2011: A draft Statement of Roles and Responsibilities has been developed and will be presented to the ADM's, RDG's and security practitioners for their review and comments. Roles and Responsibilities will be presented to the DM for approval with the Departmental Security Plan in April 2011. The Statement of Roles and Responsibilities will be presented to the DM for approval with the Departmental Security Plan in April 2011. AES: Substantially implemented. The recommendation will be closed once the Statement of Responsibilities has been approved by the DM.
	Present the draft to ADMs, RDGs and security practitioners for their review and comments.	2010-DEC
	Implement the Statement of roles and responsibilities.	2011-JUN
2. The DSO should further develop and communicate procedures and guidance to support implementation of the departmental security program in regions and sectors (e.g., procedures for lock-up at end of day, guidance on what to look for when conducting a security sweep, trainer's materials for delivering security awareness activities and guidance on how to establish and maintain physical security zones).	SOHSD will: Review, identify and prioritize gaps in the existing procedures.	2011-MAR	Status: Update/Rationale: As of 31/03/2011: To date SOHSD has developed and revised the following: Development and implementation of the Guideline on Protecting and Handling Information Development and implementation of a new procedure for Security in Contracting Development of a guideline on security of information when temporarily working outside the workplace or in transit Development and implementation of new security screening procedures for managers Development of security sweep procedures and tools Development and implementation of roles and responsibilities for Sector Security Coordinators entitled Sector Security Coordinator Handbook. AES: Fully implemented. The recommendation has been closed.
	Pending HR and Financial resources, expertise and new Policy on Government Security Standards, SOHSD will: Update existing procedures and develop new ones to be included in the Security Management Framework. Communicate updated procedures to those who need them.	2012-MAR
3. The ADMs responsible for regional staff and operations should work with the DSO to ensure that sufficient attention and resources are devoted to security in regions, including ensuring that RSOs have sufficient time to perform their security-related duties.	Following recommendation no 1, DSO to obtain buy-in from ADMs responsible for regional staff and operations: To ensure their engagement towards the security program in their respective region. To refocus the Regional Security Officers (RSOs) responsibilities to ensure sufficient time for security duties. To ensure that RSOs undergo mandatory training related to their duties. To ensure that the security awareness program is active in their respective region.	2011-MAR	Status: Update/Rationale: As of 31/03/2011: During the week of December 6, 2010: The DSO visited the Quebec region to make a presentation on the security program and the results of the audit to the Senior Managers to ensure their continuous engagement towards the security program. The DSO also discussed with the ADM's responsible for the Southern and Northern regions the regional engagement towards the security program. This was also discussed during the presentation to the HRWSMC on Departmental Security Plan. This will be assessed as part of the 3 year strategy of the Departmental Security Plan. During the week of March 7 to 11, 2011, the annual training session for RSO and SSC was held in the NCR region. A total of 25 participants attended from across the Department. The DSO is in contact with the RSOs to provide statistical data in regards to inspections, awareness sessions and incident. AES: Fully implemented. The recommendation has been closed.
4. INAC should consider appointing Sector Security Officers in all sectors to support implementation of the security program, similar to the Regional Security Officer role. The responsibilities attached to this role and associated level of effort should be presented to INAC Senior Management when the departmental security policy is next updated.	Define role and responsibilities for Sector Security Officer as per Recommendation # 1, and determine the associated level of effort the position will require.	2010-DEC	Status: Update/Rationale: As of 31/03/2011: The roles and responsibilities for Sector Security Coordinators (SSC) were defined and presented to all sector representatives on January 19, 2011. Comments were received and another session was held on February 9, 2011 to review amendments. Following request from DSO to seek support from Senior Management (presented in 12 sectors) for the introduction of the Sector Security coordinator role, several SSCs have been appointed. The Sector Security Coordinator Handbook will be distributed to all sector managers, sector security coordinators and their supervisors. This new role will be officially introduced in one sector as a pilot project starting April 1, 2011. This sector will be asked to come back to the SSC table within 6 to 8 months to provide feedback on the advantages and issues noticed during that period. AES: Fully implemented. The recommendation has been closed.
	DSO to seek approval from Senior Management for the introduction of the Sector Security Officer role.	2011-MAR
5. The DSO should develop a strategically focused departmental security plan that outlines departmental security objectives and priorities, resource requirements, timelines for meeting baseline government security requirements, and plans for updating all required Threat and Risk Assessments (TRAs) over a five-year cycle.	DSO will develop a 3 year Departmental Security plan as per the Policy on Government Security: To include departmental security strategies, objectives, resource requirements, priorities and timelines. To include a prioritization of the TRAs nationwide in a 5 year cycle.	2010-AUG	Status: Update/Rationale: As of 31/03/2011: The DSO hired two consultants to assist in the development of a Departmental Security Plan (DSP). A deck including highlights of the DSP presented to the HRWSMC for approval in March 2011. The Departmental Security Plan will be presented to the DM for approval/signature in April 2011. AES: Substantially implemented. The recommendation will be closed once the Departmental Security Plan has been approved by the DM.
6. The DSO should improve monitoring of the effectiveness of the security program in regions and sectors to support its continuous improvement (e.g. tracking implementation of recommendations from TRAs, performing random spot checks of security in contracting controls, tracking issues raised in security sweeps to ensure their timely resolution, and performing annual on-site visits to support security practitioners in regions and sectors).	Implementation of recommendation no 3 will include specific reporting requirements.	2011-APR	Status: Update/Rationale: As of 31/03/2011: Every month, the DSO participates to the conference call with RSOs and reminds them of the importance to provide their statistical data in regards to inspections, awareness sessions and incidents. The known risks will be addressed in the Departmental Security Plan. During the week of December 6, 2010: DSO was Quebec to make a presentation on the security program and the results of the audit to the Senior to ensure their continuous engagement towards the security program. DSO reported the security program performance data for 2010-2011 to HRWSMC in March 2011. AES: Substantially implemented. The recommendation will be closed once the Departmental Security Plan has been approved by the DM.
	DSO to request regional input to extend beyond NCR the collection of additional statistical data.	2011-MAY
	Note: Since October 2009, at the DSO's request, regions are providing statistical data on incident reports, sweeps and TRAs which are compiled for trend analysis purposes.	2011-MAR
	RSOs to address known risks and to report to DSO. DSO to conduct trend analysis from information obtained nationwide. DSO to conduct annual regional and sector visits. DSO to report performance data to HRWSMC	2011-JUN
7. The DSO should further develop the security awareness program to extend its reach to regional staff and improve coverage of information safeguarding and security in contracting requirements.	SOHSD: To staff the security training and awareness position	2011-MAR	Status: Update/Rationale: As of 31/03/2011: The security training and awareness position will be staffed on April 4, 2011. One of the priorities will be to review existing awareness material and identify gaps with the existing awareness program. SOHSD developed and implemented the Guideline on Protecting and Handling Information. A prepared training package was also delivered to RSOs. AES: Fully implemented. The recommendation has been closed.
	To review existing awareness material.	2011-JUN
	To identify gaps with the existing awareness program
	In synch with Actions described in #3, to review awareness presentations including speaking notes for the RSOs use.
	To obtain feedback from the RSOs for analysis and improvement purposes.
	To ensure added focus is placed on classification, handling and disposal of information, as well as requirements for security in contracting (completion of SRCLs). To produce an online security awareness training session.	2011-DEC
8. The DSO should increase focus on monitoring the effectiveness of security in contracting processes and reduce its direct involvement in the review of Security Requirements Checklists and contract clauses. To accomplish this, an organizational and functional review of the security in contracting function is required to ensure that sufficiently trained and competent contracting officers review and approve security requirements and security clauses. Furthermore, a comprehensive and effective security in contracting compliance monitoring and reporting program is required to ensure compliance is achieved and maintained across the department.	DSO to consult with the CFO to: Revise existing procedures and to develop new ones for the completion and review of SRCLs and inclusion of security clauses in contracts.	2010-SEPT	Status: Update/Rationale: As of 31/03/2011: DSO obtained approval from the OPS Committee on March 8, 2011 to go ahead with the new security in contracting process starting April 1, 2011. On March 22, a meeting was held with Procurement and Security staff to introduce this process. Effective April 1st, 2011, a revised security in contracting process will be introduced at INAC. This review included for Security to: Revise existing procedures and to develop new ones; Develop training modules for RCMs and contracting administrators for the management of the SRCL process; Develop training modules for Security Officers responsible for compliance of contract security requirements; and Ensure Procurement and Security continue to work in partnership. The new process will consist of ensuring: that all new contracts will require a Security Requirement Checklist (SRCL). the monitoring by conducting monthly spot checks. the introduction of a condensed SRCL adapted for managers. compliance with the use of the condensed SRCL forms. AES: Substantially implemented. The recommendation will be closed once all required training modules have been developed and implemented.
	To develop training modules for RCMs and contracting administrators for the management of the SRCL process. To develop training modules for Security Officers responsible for compliance of contract security requirements. DSO: To increase focus on monitoring the effectiveness of security in contracting processes. CFO: To identify contracting officers to review and to process SRCL forms and to liaise with SOHSD. Note: Checklists and security clauses include this shared activity (DSO/CFO) in the Statement of Roles and Responsibilities as per recommendation no 1.	2011-MAR

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2011-11-17