Audit of Physical Security National Capital Region

Executive Summary

Physical security within the Government of Canada is governed by the Treasury Board (TB) Policy on Government Security, the Directive on Security Management and the Operational Security Standard on Physical Security. The TB Policy defines Government security as the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence.

Deputy heads are accountable for the effective implementation of physical controls within their departments including the appointment of the Departmental Security Officer to manage the departmental security program.

Statistics Canada manages physical security within four buildings in the National Capital Region. This includes three inter-connected buildings at Tunney's Pasture in Ottawa, Ontario and one building in Gatineau, Quebec which is mainly used for the conduct of the Census every five years. These buildings house employees of Statistics Canada and other tenants as well as critical government assets, data and services.

The objectives of this audit were to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

• Statistics Canada management control framework related to physical security is adequate and effective; and
• Statistics Canada physical security practices and measures to manage access to and protect Statistics Canada's facilities, assets and information comply with relevant TB and Statistics Canada policy instruments on physical security.

The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Why is this important?

To carry out its mandate, Statistics Canada has access to confidential and sensitive statistical information that, if compromised, could have a direct impact on the reputation of the agency and result in a loss of credibility. Statistics Canada is co-located with other tenants, and there has been no audit of physical security since the new security policy was implemented in 2009 and updated in 2012. The audit was included in the risk-based audit plan to provide assurance that information, assets and services are protected against compromise and that individuals are protected against workplace violence.

Key Findings

Statistics Canada has a governance structure to support its physical security management program with clearly defined roles and responsibilities and policies and procedures.

Processes are in place for ensuring that employees are security cleared and provided with training on security practices and requirements. During the security screening process, some personal security information is sent between government security offices using unencrypted emails.

A departmental security plan is in place to support the organization's physical security management as well as a plan to ensure business continuity in the case of emergencies.

Physical access to Statistics Canada's facilities is restricted to security cleared personnel through the use of physical security barriers, [This information has been severed].

Physical security threat and risk assessments are not being conducted which limits management's ability to make informed decisions on physical security controls including an agency-wide approach to security zoning and controls based on pre-established criteria.

Some operational practices could be improved to enhance the agency's security approach. This includes having written agreements with building tenants (e.g. other government departments) and developing a challenge function to ensure that identification cards are consistently being worn in a visible manner.

Monitoring and reporting practices for physical security are in place but are not leveraged to support physical security management. There is no documented definition of what qualifies as a physical security incident, no defined escalation process of security incidents or centralized incident database.

Overall Conclusion

Statistics Canada is generally in compliance with relevant TB and Statistics Canada policy instruments. There is a governance structure that includes clearly defined roles and responsibilities. Physical security control measures provide access to security screened individuals and monitoring and reporting of security incidents is taking place.

Controls within the physical control environment would be improved through regular risk assessments that identify emerging threats, the development of a hierarchy of security zones, and documented procedures and protocols for incident reporting. Physical security management would be further strengthened through the leveraging of monitoring and reporting practices in order to strengthen the overall security posture at Statistics Canada.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.

Steven McRoberts
Chief Audit and Evaluation
Executive

Introduction

Background

Physical security within the Government of Canada is governed by the Treasury Board (TB) Policy on Government Security, the Directive on Security Management and the Operational Security Standard on Physical Security. The TB Policy defines Government security as the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence. Deputy heads are accountable for the effective implementation and governance of security and to appoint a departmental security officer (DSO) to manage the departmental security program.

At Statistics Canada, the Director General of the Operations Branch has been appointed the DSO and is also the Chair of the Security Coordination Committee (SCC). The DSO is responsible for all matters related to security including physical security of Statistics Canada buildings in Ottawa and in the regional offices in other cities.

Statistics Canada manages physical security within four buildings in the National Capital Region. This includes three inter-connected buildings at Tunney's Pasture in Ottawa, Ontario and one building in Gatineau, Quebec which is mainly used for the conduct of the Census every five years. These buildings house employees of Statistics Canada and other tenants as well as critical government assets, data and services.

Audit objectives

The objectives of this audit were to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

• Statistics Canada management control framework related to physical security is adequate and effective; and
• Statistics Canada physical security practices and measures to manage access to and protect Statistics Canada's facilities, assets and information comply with relevant TB and Statistics Canada policy instruments on physical security.

Scope

The scope included an examination of Statistics Canada's physical security program and the degree to which it allows for the effective coordination and management of departmental security activities. The scope also examined the degree to which the security program is supported by an appropriate governance structure with clear accountabilities as well as clearly defined objectives, and aligned with broader agency policies, priorities and plans.

The audit did not include an assessment of physical security for the Statistics Canada regional offices. A walkthrough of the building in Gatineau was conducted and was excluded from further testing as it was assessed to be low risk due to its limited use and occupancy.

Approach and methodology

The audit approach included an assessment and analysis of relevant documentation, interviews with key management and staff, testing and walkthrough of the four buildings in the National Capital Region and review of the processes and practices related to physical security measures. During the examination phase, the audit team reviewed the governance, risk management and control processes and procedures, examined the physical safeguards, and evaluated the current security practices against best practices and guidance provided by Treasury Board Secretariat.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2016/17 to 2020/21.

Findings, Recommendations and Management Response

Governance over physical security

A governance structure to support effective physical security management program is in place

An effective governance structure over physical security provides for the coordination of activities through clear assignment of responsibilities for the management and monitoring of physical security controls in order to meet the program's objectives.

Oversight at Statistics Canada is provided by the SCC. Reporting to the Executive Management Board, the SCC oversees all aspects of physical, information technology (IT) and information management (IM) security issues and is comprised of representatives from all of these groups, as well as Facilities and Human Resources. The main role of the SCC is to review and consider matters pertaining to security, and to assist and advise in the development of appropriate policies, procedures and programs, including training and awareness programs. The SCC meets on a monthly basis and has formal processes in place to support its mandate.

The Director General Operations, reporting to the ACS, Census, Operations, and Communications, is the designated Departmental Security Officer (DSO) within Statistics Canada and also chairs the SCC. Reporting to the Director General, Operations is the Director, Corporate Support Services, who has been assigned the role of Deputy Departmental Security Officer(DDSO) and is responsible for physical security operations at Statistics Canada.

Positions relevant to physical security management are formally documented, and aligned with each position's roles and responsibilities. The organizational chart is up-to-date and permitted the identification of clear lines of communication and reporting. The Chief of Security, responsible for all physical security operational issues reports to the Director of Corporate Support Services and meets with the DSO and DDSO weekly to discuss physical security issues.

Key security personnel at Statistics Canada have taken security training to stay current on the latest developments in security management. This is in compliance with the TB Directive on Departmental Security Management which requires DSOs and security practitioners to receive appropriate and up-to-date training to ensure that they have the necessary knowledge and competencies to perform their security responsibilities effectively.

Policies on physical security provide direction to managers, employees and partners about carrying out their security responsibilities. Statistics Canada follows the TB policy instruments pertaining to physical security compliance, and has developed an internal Security Practices Manual. The manual is a comprehensive guide, with eight chapters covering physical, IT and IM security, and a chapter on Statistics Canada's security structure.

A departmental security plan and business continuity plan are in place

The Departmental Security Plan (DSP) outlines the objectives of the departmental security program, identifies risks and mitigation strategies and specifies how financial and human resources should be deployed. It is a key control in coordinating departmental security activities.

A DSP for Statistics Canada is in place and is coordinated between the security office, the information technology division, the information management division and the SCC. The DSP is reviewed and approved by the DSO, SCC and the Executive Management Board and signed by the Chief Statistician. Review of the minutes of the SCC showed that actions resulting from the annual DSP process are followed up regularly.

A Business Continuity Plan (BCP) outlines the activities that will take place in the event of a critical incident that prevents physical or electronic access to key systems. It ensures that Statistics Canada can continue to deliver on mission critical programs and services.

A BCP for Statistics Canada is in place. The plan has identified thirteen programs and services, each of which is required to maintain a BCP and assign a BCP lead. In addition, Statistics Canada has a Departmental (department-wide) BCP that integrates the 13 BCPs as well as governance, roles and responsibilities, and serves as a comprehensive reference document. The audit did not conduct detailed tests on the effectiveness of the plans put in place as this area will be covered in more depth in a subsequent audit within the current Risk-Based audit and evaluation plan.

Personnel security screening procedures are consistently applied in compliance with TB Policy on Government Security; some personal security information was sent to other government security offices using unencrypted emails

The security clearance process ensures that only authorized individuals who meet security requirements can access Statistics Canada's facilities, systems and data.

Statistics Canada has adopted two levels of security screening:

• Reliability status – mandatory for all Statistics Canada employees. Requirements that must be met are: a credit check and criminal background check using fingerprints. The status is effective for ten years; and
• Secret clearance – mandatory for all Statistics Canada senior managers. Requirements that must be met are: a credit check; criminal background check using fingerprints; and a loyalty assessment of the employee by the Canadian Security Intelligence Service. The clearance is effective for ten years.

The audit team judgmentally selected a sample of employee security clearances to test. All security clearance procedures were found to be consistently applied, accurate and complete. In addition, walkthroughs demonstrated that the information in the custody of the security office is stored on the security office's secured drive on Network A. All the folders are protected using Security groups and access is restricted to select employees.

Testing revealed that personal security information (which is considered "Protected B" information) of employees on secondment or assignment to and from other departments is transmitted between government security offices by unencrypted email. The Statistics Canada Directive on Transmission of Protected Information requires the use of the government-wide email service with encryption option. The TB Directive on Departmental Security Management requires that personnel security screening be conducted in a manner that meets government of Canada standards and enables them to be transferred between departments.

The security screening renewal process is monitored by the security office. Every three months, the security office requests a report from Human Resources that identifies the employees whose security clearances will expire within the next three months. The audit randomly selected a sample of fifteen employees and asked to see if their security clearances were renewed. No exceptions were noted.

A security awareness program is in place and security training is mandatory for employees

Security training and outreach activities provides employees with information on daily security responsibilities in order to protect the security of individuals and ensure that systems, assets and data are protected against unauthorized access.

Security awareness at Statistics Canada includes an annual awareness week and regular communications. Review of SCC's minutes revealed that security awareness has been in the forefront of the committee's discussions. Information is disseminated regularly on security issues, policies, and procedures. This includes security information posted on screens in various sections of the building (lobby, cafeteria, etc.).

Security training for employees at Statistics Canada is mandatory. All employees are required to take the Canada School of Public Service's Security Awareness course. It is an e-learning course that provides employees with knowledge and tools so they can meet their responsibilities under the TB Directive on Departmental Security Management, as well as providing the awareness to reduce Statistics Canada's risk exposure to breaches and violations of security policies and procedures.

All new employees must complete this course when they are hired, and effective September 2016, all existing employees must take the course prior to renewing their ID card. The training requirement is outlined in the New Employee Handbook / Orientation manual and the training is tracked.

A review of the tracking report (January 2017) to assess if employees are complying with the requirement was conducted. The audit noted that as of September 2016, most individuals had taken the training, and the rest were in progress.

Recommendations

The Assistant Chief Statistician Census, Operations, and Communications should ensure that:

• Personal security information for employees on assignment or secondment is shared with other government security offices in compliance with Statistics Canada Directive on the Transmission of Protected Information.

Management Response

Management agrees with the recommendation.

Deliverables and Timeline

The Departmental Security officer has sent out an email to security personnel to remind them of encryption requirements.

The Director, Corporate Support Services Division (CSSD) will:

• Develop Personnel Security procedures for information sharing with other Government of Canada security offices in light of encryption compatibility issues by November 2017.
• Review and suggest a revision of the current Statistics Canada Directive on the Transmission of Protected Information by January 2018.

Design and implementation of physical security controls

Access to Statistics Canada's facilities is restricted to authorized personnel. Regular assessments of threats and risks are not being conducted, which limits management's ability to make informed decisions on physical security controls.

The Statistics Canada's complex at Tunney's Pasture in Ottawa is comprised of three interconnected-buildings – R. H. Coats, Main, and Jean Talon. As the primary tenant of the three buildings, Statistics Canada is responsible for the implementation and management of physical access to the buildings. The main building is shared by four government departments including Statistics Canada, Health Canada, Shared Services Canada and Public Services Procurement Canada. In addition, certain service organizations also occupy space in all the buildings such as facilities managers, cafeteria staff and cleaning suppliers.

Documentation review and interviews revealed that written agreements have not been established by Statistics Canada with other government departments and service organizations on implementing and managing their physical security requirements. The new draft Directive on Security Management that is pending TB approval, requires a written agreement when a department supports another department or organization to achieve government security objectives. Written agreements establish clear roles, responsibilities and accountabilities and set clear expectations and this is considered a good practice even in the absence of policy requirements.

The design of physical security controls should be based on a strong understanding of the risks and threats within Statistics Canada's physical security environment. This is achieved through conducting regular threat and risk assessments (TRAs), as required by TB Policy. TRAs identify risks through reviews of the security environment including past security incidences, known threats, and potential security vulnerabilities. The identification of risks allows management to make appropriate decisions on Statistics Canada's security posture including whether or not to mitigate risks through the use of additional controls.

Interviews with the Statistics Canada security office revealed that physical security TRAs have not been conducted. The need to conduct TRAs was identified by the Security Coordination Committee at a June 2015 meeting. Additionally, the security officers' job description indicates that they are responsible for disseminating findings, results and recommendations from TRAs to management.

While Statistics Canada has not yet conducted its own TRAs, TRAs of Statistics Canada's buildings are being conducted by the building owner, Public Services and Procurement Canada. However, the information yielded by these assessments has not been leveraged by the security office to inform the design of security controls.

The audit team reviewed the control design process with the security office personnel. The building is controlled using two zones, public and restricted zones. Some areas of the building do have additional controls beyond the restricted zones. This includes separate card readers and locked areas where sensitive statistical, protected and classified information and assets are stored.

There is no agency-wide approach to security zoning and controls based on pre-established criteria. Decisions for additional safeguards are made by individual divisions. A consistent approach that identifies criteria for identifying higher risk areas helps individual divisions ensure they have the appropriate amount of physical controls over their areas in-line with their assets and information holdings as well as in-line with the security posture and risk tolerance of the organization.

General access to the buildings is given through the use of an Electronic ID card. Once employees have been security cleared, they are issued a card which is required to be worn in a visible manner and is used to access Statistics Canada's buildings. Electronic turnstiles are installed at the entrances of all buildings and employees are required to scan their card in order to access the restricted zones. All Statistics Canada ID card activity is tracked in the security system and ID cards are automatically deactivated after 90 days of inactivity. In the event of a lost or stolen card, employees are to notify the security office, and the ID cards are immediately deactivated by the security office.

The audit team observed that identification cards were not consistently being worn in a visible manner and there is no challenge function employed by security personnel. Follow-up interviews with the Security Office indicated that security guards are in place and are used to support physical security, however, they are not required to ask employees to show security cards. Security guards are only required to observe, monitor and report and do not enforce security rules.

Access to the restricted zones of the building is defined by three time periods: regular hours, restricted hours, and silent hours. The audit team attempted to access restricted zones inside and outside of regular hours as well as areas where additional security controls were deployed. Testing confirmed that controls were in place and operating effectively in order to limit access.

A walkthrough of the buildings [This information has been severed].

Monitoring and reporting practices for Physical Security are in place but are not leveraged to support Physical Security management.

Monitoring and reporting processes provide management with information on the effectiveness of physical security controls. It allows managers to identify risks and trends and make improvements to controls where needed.

Statistics Canada conducts several activities to monitor and report on its Physical Security controls.

Security sweeps are conducted monthly by members of the SCC – the DSO, DDSO, Director of Information Management Division, IT and security staff. Currently, the security office's strategy in conducting security sweeps is to provide training. For this reason, advance notice is provided to the director of the division so that staff can be made aware of the upcoming security sweep. The audit team observed a security sweep in February 2017. No major issues were found. Interviews revealed that future security sweeps will occur without advance notice in order to further test controls.

Security incidents are monitored and tracked using three separate incident databases (physical security, IM and IT). Physical security incidents covering a vast array of issues are reported to the security office by several methods, including emails, phone calls, and in-person. There is no documented definition of what qualifies as a physical security incident for entry into the incident database; however, anything that affects operations, life, or health is captured.

A sample of security incident reports was tested to determine whether incidences were properly identified, documented and reported. Supporting documentation was traced to the database to verify if the information in the database was correctly and timely recorded and whether follow-up actions were taken.

Results revealed that the investigation and the escalation process is not documented and there was no documentation of communication to the DSO and therefore the timeliness of these reports to the DSO could not be verified or tested. Follow-up with the security office revealed that investigative responsibilities are not specifically defined or documented and each incident is addressed on a case-by-case basis using the professional judgment of the chief of security and other senior staff. Daily informal communication and formal weekly meetings are held between the DSO and the chief of security to ensure that the DSO is informed of urgent issues. Physical security incidents are reported monthly to the SCC. The audit found that, where applicable, the police were contacted as required by law or as judged necessary by the chief of security for all incidents reviewed in our sample.

Overall, the audit found that security personnel are monitoring, tracking and investigating security incidences. However, incident reporting and monitoring practices are not leveraged to inform Statistics Canada's security posture. The identification of security incident trends and emerging risks helps management make informed decisions on changes to physical security controls.

Recommendations

The Assistant Chief Statistician Census, Operations, and Communications should ensure that:

1. Regular physical security threat and risk assessments are conducted in order to make informed decisions on physical security zones and security controls.
2. A hierarchy of discernible zones is defined, documented and communicated according to TB's definition of security zones and written agreements are established with other departments and organizations to achieve government security objectives.
3. There are processes in place to identify, report and monitor security incident trends in order to make security control adjustments as necessary.
4. The policy requirements for employees' ID cards to be visible is reinforced through an awareness program and a periodic challenge function.

Management Response

Management agrees with the recommendations.

1. Physical security threat and risk assessments aligned with TB Departmental Security Plan cycle (every 3 years) will be conducted and together with all available information, including but not limited to, security incident reports and trends, facility TRAs and physical security inspections, the security office will make informed decisions on physical security zones and security controls.

   The security office will leverage information gained through threat and risk assessments/physical security inspections in the development of the DSP.

Deliverables and Timeline

2. Current Directive on Departmental Security Management or Policy on Government Security does not require Statistics Canada to develop written agreements with other government departments who are supported by Statistics Canada's security division. The draft of the future Directive on Security Management has a provision to this effect.

   Statistics Canada will develop and implement a Memorandum of Understanding (MOU) to outline the security services and service levels it will provide to other government departments co-located and served by Statistics Canada's security team.

   Statistics Canada has developed a plan to implement the TBS hierarchy of zones through its "physical security barriers/turnstiles" project.

Deliverables and Timeline

3. The security office will continue to leverage the SCC to obtain a holistic view of physical security incidents, IT security incidents and information management incidents, and will build on the information shared to identify incident trends and subsequently develop incident metrics.

   Security will leverage security incident trends and metrics to make informed decisions regarding security control measures. For instance, Security will make reference to historical security incident trends and risks when conducting physical security inspections. These trends will assist with the development of security control recommendations. Additionally, these security incident trends will feed into the DSP.

Deliverables and Timeline

4. The security office through various communication channels, will continue to remind employees to visibly display their ID card at all times when on Statistics Canada premises. Currently, tightrope messages and signs with these instructions are posted throughout all three buildings.

   An integrated Security Awareness Working Group has been assembled to further strengthen the annual Security Awareness Week campaign.

   The Security Office will have the security guards randomly challenge employees who do not have their ID cards visibly displayed and remind them to do so.

Deliverables and Timeline

• Develop a Communication Plan which will outline various communication methods (e.g. tight rope, weekly info bulletin) to be used to remind employees of their security responsibilities (i.e. responsibility to visibly display their ID card at all times when on STC premises) by November 2017.
• Purchase lanyards and hand them out during Security Awareness week (February 2018) to employees NOT visibly displaying their ID cards.
• Instruct guard force to randomly challenge employees who are not visibly wearing the ID Cards and remind them to do so (Update Post-Orders as required) by November 2017.
• Develop ID Card Employee Attestation Form stating that employees have been briefed on requirement to visibly display ID card at all times when on Statistics Canada premises. Employees will be required to sign this form prior to receiving the new or renewed ID card. The will be completed by November 2017.

Appendices

Appendix A: Audit criteria

Appendix B: Acronyms