Audit of the corporate security investigations carried out by common security services (final report)

Audit of the corporate security investigations carried out by common security services
(final report) (PDF, 381KB)

June 29, 2017

On this page

Executive summary

i. The 2009 Policy on Government Security defines government security as “the assurance that information, assets and services are protected against compromise, and individuals are protected against workplace violence.” Section 6.1.8 of the policy states that deputy heads of all departments are responsible for “ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence that they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency.”

ii. The Deputy Minister of Public Services and Procurement Canada has sub-delegated the authority to conduct administrative investigations of security incidents to the Departmental Oversight Branch. Within the branch, the responsibility to conduct investigations was shared between the Corporate Security Directorate and the Special Investigations and Internal Disclosure Directorate, depending on the nature of the incident being investigated.

iii. As of October 2015, Special Investigations and Internal Disclosure Directorate was authorized to conduct all administrative investigations related to security incidents. The responsibility for the intake, triage, and preliminary review of security incidents was then assigned to the newly formed Common Security Services, formerly the Security Investigation Unit within the Corporate Security Directorate.

iv. The objective of this audit was to determine whether select elements of the Management Accountability Framework are in place and operating as intended to support the role performed by Common Security Services as it relates to security incidents. The audit scope period was from April 1, 2015 to November 30, 2016. The scope excluded administrative investigations related to security incidents conducted by the Special Investigations and Internal Disclosure Directorate as this investigative function was assessed as part of the recently completed Audit of the Special Administrative Investigations Function and the Audit of the Internal Disclosure Process.

v. Overall, we identified significant control weaknesses with select elements of the Management Accountability Framework for the corporate security investigations carried out by common security services. We found that the investigation process could be improved by better aligning policies with Public Services and Procurement Canada’s operational environment. Developing procedures, ensuring managerial reviews and performing quality assurance activities could increase the quality and consistency of activities performed by Common Security Services. In addition, we identified information management issues related to Common Security Services’ use of the Site-Secure application. Improvements in these identified areas would help ensure the work performed by Common Security Services is within their authority, complies with Treasury Board of Canada Secretariat requirements and adequately supports the achievement of Public Services and Procurement Canada’s objectives.

Management response

Since the audit observations came to our attention in summer/fall 2016, management believes that its continuous improvement initiatives have addressed the majority of the audit’s concerns. Furthermore, management also believes that, until Site-Secure is replaced, interim measures adequately address risk. The management action plan, below, highlights the Departmental Oversight Branch’s actions in addressing audit recommendations.

Recommendations and management action plan

Recommendation 1:
The Assistant Deputy Minister, Departmental Oversight Branch should, through appropriate consultation with departmental security stakeholders, a) update policies related to security investigations to ensure that accountabilities, roles and responsibilities are clearly defined and align with the current operational environment b) develop stronger controls for ensuring the integrity of security information being collected and c) perform on-going trend analysis of the department’s security risk environment, using the security incident data that is collected.
Management Action Plan 1.1:

The Corporate Security Investigative Function under Common Security Services was a temporary measure, in November 2015 to address organizational concerns and management challenges. In December 2016, the unit was re-positioned under Corporate Security Directorate, the policy authority for investigative activities.

Public Services and Procurement Canada has approximately 500 Unit Security Officers equipped with training and manuals provided by the Security Emergency Management Sector. Their responsibilities are clearly defined, documented and communicated.

All Regional Security Officers are aware of their roles and responsibilities (reinforced with monthly meetings).

Developed an Integrated 3-year Security and Awareness Training Plan (2016 to 2019) intended to change culture and to communicate employees’ security responsibilities as a whole.

Developed an Armed Intruder, Lockdown and Shelter in Place Program/Exercise to communicate and train regarding mangers’/employees’ safety and security incident responsibilities.

Developed Security Sweep Compliance Enhancement Strategy re: infractions and repeat offenders for managers/employees to reinforce policy compliance.

Updated Security and Business Continuity Planning Governance Committees (including refined term of references and mandates at the Director General and Assistant Deputy Minister levels). Both committees met in March 2017.

Reviewed new Policy on Government Security’s security controls; identifying security gaps which need to be addressed by policy.

Completed 2 rounds of subject matter expert departmental security consultations (including 3 rounds of regional reviews) to align Public Services and Procurement Canada’s security policies with new Treasury Board of Canada Secretariat’s Policy on Government Security. Delays partially due to Treasury Board of Canada Secretariat’s own delays on the policy roll-out, now expected to be beyond 2017.

Security investigations committee meetings related to security held bi-weekly with stakeholders (including Human Resources, Information Technology (IT), Special Investigations, Corporate Security, etc.) to ensure cohesive reporting and alignment with current operational environment.

Management Action Plan 1.2:

All information related to an individual’s security information, investigation, resolution of doubt or review for cause is now stored in GCDOCSFootnote 1. Site-Secure is only used to issue an incident tracking number.

Until Site-Secure is replaced (project lead hired in February 2017), standard operating procedures providing procedural controls have been implemented and employees entering data are better trained.

Quarterly review of Site-Secure accounts and controls was last completed in April 2017.

Management Action Plan 1.3:

The Departmental Security Officer and the Director of the Corporate Security Directorate review and monitor the Incidents Tracking Table outlining category of incidents. Also included is a separate tracking table for review for cause, resolution of doubt, signals intelligence and Special Investigations and Internal Disclosure Directorate’s investigations.

Site-Secure’s replacement will incorporate a business intelligence function for sophisticated trend analysis.

Recommendation 2:
The Assistant Deputy Minister, Departmental Oversight Branch should a) develop and implement standard operating procedures which cover the complete life cycle of a security investigation b) ensure that managerial reviews and quality assurance activities are performed to ensure established procedures are being adhered to.
Management Action Plan 2.1:

Developed incident management standard operating procedures and business process mapping for procedural fairness for the resolution of doubt and review for cause process.

  • Legal reviewed standard operating procedures and templates; comments are being integrated
  • All processes have been validated via a table-top exercise
  • Mapped/tested review for cause and resolution of doubt procedures for IT-linkage and automated process tracking related to Site-Secure’s replacement

As per the department’s policy suite renewal outlined above, all roles and responsibilities related to the life-cycle of a security investigation will be formalized. In the interim:

  • All Regional Security Chiefs are aware that all security incidents are reported to the Corporate Security Directorate, under the auspices of the Departmental Security Officer, via a General Occurrence Report, and all fact-finding activities to assess/initiate a formal administrative investigation must be coordinated by the directorate
  • Corporate Security Directorate holds a monthly teleconference with Regional Security Chiefs. This meeting is held to discuss security incidents and reinforce roles and responsibilities
  • Similar training/communications will be improved for roll out and reinforcement with the department’s 500 Unit Security Officers
Management Action Plan 2.2:

Managerial and Departmental Security Officer reviews/oversight have been incorporated into the standard operating procedures outlined above.

Upon the replacement of Site-Secure, managerial and Departmental Security Officer reviews and oversight will be incorporated as part of the business intelligence analytics.

Recommendation 3:
The Assistant Deputy Minister, Departmental Oversight Branch should develop, document and clearly communicate to Public Services and Procurement Canada employees their rights and responsibilities related to reporting security incidents, as well as, for participating in any security-related investigations.
Management action plan 3.1:

Intake channels for reporting security incidents were consolidated and last updated, April 2017, on Public Services and Procurement Canada’s website.

Investigations standard operating procedures include protocol for advising individuals of their rights, responsibilities as well as Privacy Act implications.

General Occurrence Report forms also point to applicable Personal Information bank. 

Legal has reviewed standard operating procedures and associated templates; we are currently integrating their comments.

Security awareness mandatory course will be updated to set at responsibilities for employees to report security related incidents.

Recommendation 4:
The Assistant Deputy Minister, Departmental Oversight Branch should a) develop and implement appropriate performance indicators and b) revise service standards to better reflect the nature and complexity of work now being performed by Common Security Services.
Management action plan 4.1:
Updated key performance indicators are being developed across all security service functions; in alignment with the new investigations standard operating procedures.
Management action plan 4.2:

Standard operating procedures for the investigative function now include a business process map, illustrating complexity and timelines. This will be integrated with Special Investigations and Internal Disclosure Directorate in order to capture the complete lifecycle of a security investigation from the intake of the incident to closure of the file.

The corporate security investigative function under Common Security Services was a temporary measure in November 2015 to address organizational concerns and management challenges. In December 2016, the unit was re-positioned under Corporate Security Directorate, the policy authority for investigative activities.

Recommendation 5:

As a result of significant security risks, the Assistant Deputy Minister, Departmental Oversight Branch should reconsider the use of the Site-Secure application as an information management tool for the investigation functions.

Should it be determined that the Site-Secure application remains the tool of choice, then the Assistant Deputy Minister should a) establish controls to ensure that information in Site-Secure application is appropriately secure to prevent unauthorized use, disclosure, modification, damage or loss of data and b) whether or not the application remains the tool of choice ensure that Common Security Services uses Government of Canada approved portable data storage devices when handling investigative information.

Management action plan 5.1:

Previously addressed and approved at the January 23, 2017 Audit and Evaluation Committee meeting.

All security risks deemed to be suitably mitigated, until Site-Secure is replaced.

Separate management action plan is in place to monitor.

Introduction

1. This engagement was initiated, at the request of the Audit and Evaluation Committee in June 2015 as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework, to provide assurance on the effectiveness of the management controls and investigation practices within the department.

2. The 2009 Treasury Board of Canada Secretariat’s Policy on Government Security defines government security as “the assurance that information, assets and services are protected against compromise, and individuals are protected against workplace violence.” Under section 6.1.8 of the policy, deputy heads of all departments are responsible for “ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency.”

3. Within Public Services and Procurement Canada, the Deputy Minister has sub-delegated the authority to conduct formal administrative investigations related to security incidents to the Departmental Oversight Branch. Until recently, authorities and areas of responsibility for investigations were divided between the Corporate Security Directorate and the Special Investigations and Internal Disclosure Directorate depending on the nature of the investigation. For example, the Corporate Security Directorate was responsible for investigating security related incidents such as theft, vandalism, violence in the workplace and inappropriate use of government and information technology assets while Special Investigations and Internal Disclosure Directorate was responsible for investigating disclosure made under the Public Servants Protection and Disclosure Act, conflict of interests and misuse of public funds and assets.

4. As of October 2015, Special Investigations and Internal Disclosure Directorate was authorized to conduct all administrative investigations related to security incidents. The responsibility for the intake, triage, preliminary review and investigation of low complexity security incidents was assigned to the newly formed Common Security Services formerly the Security Investigation Unit within the Corporate Security Directorate. As of November 30, 2016, Common Security Services was comprised of 1 Director, 1 Manager and 2 investigators. When requested, the unit was unable to provide their operating budget for the 2016 to 2017 fiscal year.

Focus of the audit

5. The focus of this internal audit was to determine whether selected elements of the Management Accountability Framework are in place and operating as intended to support corporate security investigations. The audit scope period was from April 1, 2015 to November 30, 2016. The scope excluded administrative investigations related to security incidents conducted by Special Investigations and Internal Disclosure Directorate, as this investigative function was assessed as part of the recently completed Audit of the Special Administrative Investigations Function and the Audit of the Internal Disclosure Process.

6. More information on the audit objective, scope, approach and criteria can be found in the section “About the Audit” at the end of the report.

Statement of conformance

7. The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

8. Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The findings and conclusion are only applicable to the entity examined and for the scope and time period covered by the audit.

Observations

9. Audit observations develop through a process of comparing criteria (the correct state) with condition (the current state). The following observations may note satisfactory performance, where the condition meets the criteria, or they may note areas for improvement, where there was a difference between the condition and the criteria.

Departmental policies do not reflect the current operating environment

10. The Treasury Board of Canada Secretariat’s Policy on Government Security sets the requirement that the Departmental Security Officer must establish a departmental security program to manage and coordinate security activities within the department. As part of this role, the Departmental Security Officer must ensure that delegations, reporting relationships and roles and responsibilities of employees with security responsibilities are clearly defined, documented and communicated.

11. We expected that Public Services and Procurement Canada would have policies in place to support the aforementioned Treasury Board of Canada Secretariat requirements and that these policies would clearly define the department’s governance structure and accountabilities related to the Departmental Security Program, including security investigations. Further, we expected that these policies would be up-to-date and accurately reflect Public Services and Procurement Canada’s current operating environment.

12. We found that the Public Services and Procurement Canada has in place 2 key policies that define the governance structure and accountabilities related to the Departmental Security Program - the Departmental Security Program Policy and the Corporate Security Program Policy. Our review of these policies revealed that they had not been significantly updated since May 1997 and that responsibilities identified were not aligned with organizational changes. For example, we observed that responsibilities were assigned to executive positions that no longer exist within the organization. We also noted that there were no departmental directives and/or standards in place to support these policies. Further, in none of the Public Services and Procurement Canada’s security related policies we reviewed could we find reference to the existence of Common Security Services, its accountabilities, roles or responsibilities.

13. Through interviews with the Departmental Security Officer and other senior managers, we were informed that these security policies were in the process of being updated, however, management turnover, increased workload, organizational changes and the pending Treasury Board of Canada Secretariat’s security policy suite reset, expected to be competed in the spring of 2017, had contributed to delays in their revision.

14. We were provided with a copy of the draft Policy on Departmental Oversight Branch Investigations. Upon review of this policy, we could find no evidence that the Departmental Security Committee, comprised of select Directors General and Directors who exercise approval authority for all security related policy instruments, had provided any input into its development. Given that the implementation of this policy would have direct implications on how security investigations would be managed, we expected there would be greater involvement by the security sector into its development. Further, when we reviewed the policy, we noted that there was no mention of Common Security Services and their role for the intake and triage of security incident reports to Special Investigations and Internal Disclosure Directorate for investigation.

Limitations in information used for security risk assessment

15. The Treasury Board of Canada Secretariat’s Directive on Departmental Security Management states that the Departmental Security Officer is responsible for developing, monitoring and maintaining the Departmental Security Plan and for reporting on the management of security within departments. Within Public Services and Procurement Canada, the Departmental Security Officer is also responsible for reporting annually on the status of the security program to the Assistant Deputy Minister Steering Committee on Departmental Security.

16. We expected the Departmental Security Officer would use data collected concerning security incidents to perform trend analysis, to allow for timely decision-making and to identify, assess, and mitigate potential security related risks. We also expected that Common Security Services would accurately report and track security incidents to allow the Departmental Security Officer to fulfill all internal and external reporting requirements.

17. We noted that Common Security Services is currently using an application called Site-Secure to track their security incidents. The Departmental Security Officer and other key personnel indicated that the reporting capacity of the system is insufficient to perform trend analysis. However, our analysis of the security incident reports found that the information contained therein could support some trend analysis, such as tracking based on category of incidents over time.

18. Interviewees also revealed a concern about the accuracy of the information being entered into the application. This concern was warranted as we observed some issues with the manner with which security incidents were being recorded into the system. For example the term “other” was being inappropriately used to identify incidents which were of a very specific nature for example a breach of security. This practice leads to an underrepresentation as to the number of security incidents occurring for a specified category/period of time. Additionally, as part of our sample, we reviewed 2 files that were reported to have been resolved in 1 day. Further review of these files revealed that there was a significant delay between the incidents being reported to Common Security Services and the files being entered in the Site-Secure application; 18 and 50 business days respectively. This practice leaves an incorrect perception of incidents being resolved more quickly than they are.

19. We were also advised that since the re-organization of the security investigation function, some security incidents were being reported directly to and tracked by Special Investigations and Internal Disclosure Directorate. We could find no evidence that this security incident information was being reported to back to the Departmental Security Officer in any systematic way.

20. Trend analysis based on incorrect and/or incomplete data may lead to an inaccurate identification and assessment of the department’s security risk environment and development of appropriate strategies to mitigate those risks.

Operational procedures need to be developed to support consistency in the scope and nature of investigative activities

21. Treasury Board of Canada Secretariat’s Policy on Government Security and the Directive on Departmental Security Management state departments must develop and implement procedures to establish the conditions under which administrative investigations will be conducted. We expected to find investigative activities were being consistently undertaken, and in-line with documented standard operating procedures and operational guidelines.

22. We could find no evidence of documented standard operating procedures being in place. We noted that there was considerable ambiguity within the division, particularly amongst investigators, as to the nature of their role and what activities they should be performing since the re-organization. Under the new organizational structure, the division is responsible for performing the preliminary review and conducting low complexity investigations. However, there were no procedures to guide the conduct of a preliminary review or how to determine the complexity of an investigation. Further, interviewees expressed varying opinions as to what activities were considered as a “preliminary review”, or “low complexity investigation” versus an actual investigation. This sentiment was further confirmed through our file testing where we observed inconsistencies in the activities performed by investigators when addressing security incidents. For example, in some files, investigators were immediately transferring the file to the Special Investigations and Internal Disclosure Directorate, but in other instances the investigator was gathering evidence through interviews and data analysis, prior to the file being transferred to Special Investigations and Internal Disclosure Directorate. We could find no rationale on the files which explain why such varying approaches were undertaken by the investigators.

23. Additionally, we did not find any procedures explaining managerial review requirements, prior to closure. Of the 39 files we reviewed in our sample, 34 were closed. Of those 34 closed files only 9 had evidence of managerial review and sign-off.

24. The aforementioned Treasury Board of Canada Secretariat’s policy and directive also require all incidents suspected of being criminal in nature be reported to the appropriate law enforcement authority. We observed that Common Security Services does not have an established protocol in place for referring suspected criminal incidents to law enforcement. Referrals of criminal incidents occur on a case by case basis. Further, 12 of the 39 files selected in our sample were of a potentially criminal nature but were not referred to law enforcement. We were unable to find a rationale and/or documented approval from a senior manager to support the decision not to report to law enforcement.

25. The absence of standard operating procedures and guidelines has led to different approaches being used by Common Security Services investigators for the triage and assessment of security incidents. This observation, compounded by inconsistent practices around managerial reviews, could result in security incidents requiring investigation not being appropriately identified and reviewed through a formal administrative investigation process.

Quality assurance activities were not performed

26. We expected that quality assurance activities would be in place to ensure adherence to policies and reporting requirements, as well as, to identify areas for overall process improvement. During our file testing, we could find no evidence of quality assurance activities having been performed.

27. Implementing quality assurance activities, in line with the complexity of the work performed and the resources available would provide the Departmental Security Officer with a degree of confidence that activities being undertaken by Common Security Services are appropriate and consistently performed.

Preliminary review and investigations were at times performed by regional employees who are not investigators

28. The Departmental Security Program states that the Departmental Security Officer is responsible for directing and providing functional direction to the regional security authorities. Further, the Corporate Security Program states that the Associate Departmental Security Officer has specific responsibilities for coordinating the Corporate Security Program in each region.

29. Interviews with the Departmental Security Officer and Associate Departmental Security Officer confirmed that regions are expected to report security-related incidents and cooperate with the national headquarters investigators, as required. These interviews further clarified that regions do not have the authority or the training to conduct investigations of security incidents, independent from national headquarters.

30. Consequently, we expected to find when security incidents occur in the regions, regional officials would promptly inform Common Security Services, or the Departmental Security Officer and/or Associate Departmental Security Officer of the security incident and provide investigative support to national headquarters, when requested to do so.

31. We observed, prior to informing national headquarters, some regions were engaged in preliminary review and/or investigation activities. Of the security incident files in our sample, 6 involved regions. We found that for 3 of these files some regions collected evidence such as requesting IT logs and conducting witness interviews prior to reporting the security incident to Common Security Services.

32. So as to not jeopardize the integrity of the investigation process, the role of the regions requires clarification to ensure that activities performed are within their authority and comply with applicable security investigation policies and directives.

Barriers existed for National Capital Region Public Services and Procurement Canada employees to report security incidents

33. The Treasury Board of Canada Secretariat’s Directive on Departmental Security Management states that employees are responsible for reporting security incidents through appropriate channels. Consequently, we expected to find clear guidelines and accessible intake channels for employees to report security incidents.

34. During the examination phase, we reviewed the intake channels provided on the Public Services and Procurement Canada’s intranet page and found that the physical address and the generic email address provided to reach Common Security Services were not valid. In addition, when we attempted to leave a message at the telephone number listed on the intranet site, there was no indication that we had correctly reached Common Security Services. Upon follow up, we were informed that the listed number had not been updated.

35. Inaccurate reporting channels can create obstacles, hinder an employee’s capacity to report security incidents and impede appropriate follow-up by Common Security Services. Security incidents may go unreported and/or unaddressed which would inhibit the Departmental Security Officer’s ability to fully appreciate the risk environment and may prevent incidents requiring further review, being investigated.

36. Subsequent to the examination phase of the audit, intake channels for reporting security incidents were consolidated and updated on Public Services and Procurement Canada’s intranet page. This should be continually maintained to encourage employees in fulfilling their duty to report.

Parties involved in the investigation were not always appropriately informed of their rights and obligations

37. The Treasury Board of Canada Secretariat’s Directive on Departmental Security Management, which includes references to the Access to Information Act and the Privacy Act, states that parties involved in a security incident investigation must be appropriately informed of their rights and obligations. These include, but are not limited to: the right to know the reason for the interview; any information provided during the course of an interview may be accessible in accordance with the above mentioned acts; and they have an obligation to keep discussions confidential. We expected to find a process in place to ensure compliance with the directive and ensure employees involved in an investigation are advised of their rights and obligations.

38. Of our sample, 6 files involved interviews with Public Services and Procurement Canada employees. For these files, we listened to audio recordings of interviews and reviewed interview notes for evidence that individuals involved were advised of their rights and obligations. In only 3 of these 6 files could we find evidence that employees were made aware of some rights prior to their interview. In none of the files reviewed were employees informed of their right to obtain the information they’ve provided during the course of the investigation as per the Access to Information Act and the Privacy Act. In addition, we found no evidence that employees were informed of the obligation to keep discussions confidential.

Existing performance indicators do not reflect the current operating environment

39. Performance indicators are used to monitor performance and to assist management and employees in their pursuit of continuous improvement. To be effective, departments should develop performance indicators that clearly define desired results, measure and evaluate performance and make the necessary adjustments to improve both the efficiency and effectiveness of its operations. We expected appropriate performance indicators would be developed and that management would consider these results to inform decision-making and improve activities within Common Security Services.

40. We found that Common Security Services had established a 90 day service standard for opening and closing security incident files and an 85% performance indicator. We noted that indicators have not changed since the reorganization of the function, and are the same as when they were performing more complex investigations. We assessed that the current indicators do not take into consideration the nature and the complexity of the work now being performed by Common Security Services; therefore we question their value for informing operational improvements and efficiencies.

41. Further, through consultation with Special Investigations and Internal Disclosure Directorate, we were informed that there is no service standard in place that captures the complete lifecycle of a security investigation, from the intake of the security incident to closure of the security incident investigation file. While Special Investigations and Internal Disclosure Directorate confirmed that they also have a 90 day service standard, this standard does not include the time required for Common Security Services to intake and triage the security incident file. We observed that no efforts were being made, by either directorate, to amalgamate and/or share service standard results in the pursuit of increased operational efficiency.

42. Efforts to establish stronger linkages between the Common Security Services and Special Investigations and Internal Disclosure Directorate service standards would allow for a more complete understanding of the length of time required to complete a security incident investigation. Doing so would strengthen the integrity of the investigative process; improve Common Security Services and Special Investigations and Internal Disclosure Directorate’s ability to identify opportunities to streamline the security investigation process and to reduce the impact of an extended investigation for those involved.

System issues with the Site-Secure application may compromise the integrity of electronic records pertaining to security incidents

43. According to Treasury Board of Canada Secretariat’s information management policies and directives, information pertaining to investigations is considered sensitive, should be safeguarded accordingly and only shared with individuals on a need-to-know basis.

44. We expected that corporate security incidents and investigation records would be properly safeguarded and maintained as per information management policies and directives in order to maintain the confidentiality and protect information from unauthorized use and/or access.

45. We found that paper files were kept in secure Royal Canadian Mounted Police approved cabinets and located in a protected area which is consistent with Treasury Board of Canada Secretariat‘s Operational Security Standard on Physical Security. We also found that Common Security Services had in place a process for the retention and disposition of these records which was consistent with the department’s retention and disposition schedule. Electronic records are stored in the Site-Secure application. This application is used to track and record information about security incidents and investigations. We conducted a walkthrough of Site-Secure and noted several information management security issues.

46. Firstly, security personnel, with administrator rights, were able to access potentially sensitive files related to departmental investigations, although their duties would not require such access. Further, administrators have the ability to remove system partitions that separate and prevent unauthorized access to information contained in the various modules, which are used by other directorates. There is currently limited oversight and controls, for example, segregation of duties in place, to review and ensure the appropriateness of actions taken by administrators. Furthermore, we were informed that there are no audit trails or security logs to record which files have been viewed and by whom. Current system capabilities are limited and do not allow for the enabling of such logs.

47. Secondly, article 12.3.3 of Treasury Board of Canada Secretariat’s Operational Security Standard: Management of Information Technology Security requires departments to certify and accredit their information technology systems. In cases where this has not occurred, an exemption must be obtained and approved. Site-Secure has not been accredited or certified and no exemption has been provided. Further, no Privacy Impact Analysis has been completed for Site-Secure. We have assessed that the use of this application has evolved significantly from the tracking of security incidents to the storing of reports which may contain sensitive personal information. This would indicate the need for a Privacy Impact Analysis to be performed.

48. Thirdly, system back-ups and recovery activities are not performed. In the case of a system event, such as hard drive failure, system crash or virus infection, original data may be lost and users may be unable to reconstruct or restore the lost information. No contract or service level agreements are in place for vendor support, leaving the department in a precarious position in the event such a system failure.

49. Fourthly, we noted that password settings to access Site-Secure are weak. We noted that the system may not have the capability to provide stronger password settings. As well, workstations seem to all be configured with a local account that has the same username and no password. Additionally, workstation sessions and screens do not appear to lock following a period of inactivity. These conditions undermine the security and confidentiality of information stored on the various workstations across the department.

50. Fifth, during our system walkthrough, we learned that Site-Secure is not a standalone system, as is assumed by system administrators, but is connected to another server that has access to the internet. Although antivirus software is installed on workstations, the antivirus has not been updated or activated, leaving the system at risk.

51. Finally, there are currently no procedures in place for granting, modifying and removing system access. Furthermore, there are no documented procedures related to the appropriate use of the system, and the roles and responsibilities of both system administrators and users. Users are given access rights based on existing profiles used by administrators which are not necessarily in relation to specific job requirements or the need-to-know principle.

52. Controls ensure that information in Site-Secure is appropriately secure to prevent unauthorized use, disclosure, modification, damage or loss of data.

Non-government issued portable data storage devices were used to transmit and store information

53. The Treasury Board of Canada Secretariat outlines the proper use and handling of Portable Data Storage Devices in an Information Technology Policy Implementation Notice which came into effect on May 20, 2014. Specifically, the notice indicates that effective September 2014 all portable data storage devices must be password or biometrically controlled, and the information stored on them encrypted. Consequently, we expected to find that Common Security Services were in compliance with this notice.

54. Through interviews and on-site observations, we noted that the USB flash drives used by Common Security Services to store and transfer sensitive Government of Canada information were neither password or biometrically controlled, risking the introduction of malicious software to Government of Canada IT networks and\or the loss of sensitive information.

55. In January 2017, the Office of Audit and Evaluation issued a management letter concerning the issues raised above. The Departmental Oversight Branch has developed a management action plan to address the issues presented.

Conclusion

56. Within the Departmental Oversight Branch, security incident investigations are a shared responsibility. Common Security Services, Special Investigations and Internal Disclosure Directorate, the regions and Public Services and Procurement Canada employees, at large, all play an important role in ensuring the integrity of the investigation process. Therefore it is important that there is a common understanding of the roles each is expected to fulfill and the steps to be taken to ensure investigations related to security incidents adhere to Public Services and Procurement Canada policies as well as the legislative framework that govern their roles.

57. Overall, we identified significant weaknesses pertaining to policies and procedures, information management and performance monitoring and reporting. Improvements in these areas are needed to ensure the integrity of the corporate security investigation process.

58. Establishing and communicating policies and procedures for corporate security investigations will limit the confusion that comes with change. Moreover, strengthening controls, particularly in the area of performance monitoring and reporting, will improve the quality and accuracy of these activities and bolster the Departmental Security Officer’s capacity to perform trend analysis and learn from security incidents. Finally, it should be noted that the issues concerning the management of electronic files in the Site-Secure application have been brought to the attention of senior management via management letter and are currently being addressed.

Management response

Since the audit observations came to our attention in summer/fall 2016, management believes that its continuous improvement initiatives have addressed the majority of the audit’s concerns. Furthermore, management also believes that, until Site-Secure is replaced, interim measures adequately address risk. The management action plan, below, highlights the Departmental Oversight Branch’s actions in addressing audit recommendations.

Recommendations and management action plan

Recommendation 1:
The Assistant Deputy Minister, Departmental Oversight Branch should, through appropriate consultation with departmental security stakeholders, a) update policies related to security investigations to ensure that accountabilities, roles and responsibilities are clearly defined and align with the current operational environment b) develop stronger controls for ensuring the integrity of security information being collected and c) perform on-going trend analysis of the department’s security risk environment, using the security incident data that is collected.
Management Action Plan 1.1:

The Corporate Security Investigative Function under Common Security Services was a temporary measure, in November 2015 to address organizational concerns and management challenges. In December 2016, the unit was re-positioned under Corporate Security Directorate, the policy authority for investigative activities.

Public Services and Procurement Canada has approximately 500 Unit Security Officers equipped with training and manuals provided by the Security Emergency Management Sector. Their responsibilities are clearly defined, documented and communicated.

All Regional Security Officers are aware of their roles and responsibilities (reinforced with monthly meetings).

Developed an Integrated 3-year Security and Awareness Training Plan (2016 to 2019) intended to change culture and to communicate employees’ security responsibilities as a whole.

Developed an Armed Intruder, Lockdown and Shelter in Place Program/Exercise to communicate and train regarding mangers’/employees’ safety and security incident responsibilities.

Developed Security Sweep Compliance Enhancement Strategy re: infractions and repeat offenders for managers/employees to reinforce policy compliance.

Updated Security and Business Continuity Planning Governance Committees (including refined term of references and mandates at the Director General and Assistant Deputy Minister levels). Both committees met in March 2017.

Reviewed new Policy on Government Security’s security controls; identifying security gaps which need to be addressed by policy.

Completed 2 rounds of subject matter expert departmental security consultations (including 3 rounds of regional reviews) to align Public Services and Procurement Canada’s security policies with new Treasury Board of Canada Secretariat’s Policy on Government Security. Delays partially due to Treasury Board of Canada Secretariat’s own delays on the policy roll-out, now expected to be beyond 2017.

Security investigations committee meetings related to security held bi-weekly with stakeholders (including Human Resources, IT, Special Investigations, Corporate Security, etc.) to ensure cohesive reporting and alignment with current operational environment.

Management Action Plan 1.2:

All information related to an individual’s security information, investigation, resolution of doubt or review for cause is now stored in GCDOCSFootnote 1. Site-Secure is only used to issue an incident tracking number.

Until Site-Secure is replaced (project lead hired in February 2017), standard operating procedures providing procedural controls have been implemented and employees entering data are better trained.

Quarterly review of Site-Secure accounts and controls was last completed in April 2017.

Management Action Plan 1.3:

The Departmental Security Officer and the Director of the Corporate Security Directorate review and monitor the Incidents Tracking Table outlining category of incidents. Also included is a separate tracking table for review for cause, resolution of doubt, signals intelligence and Special Investigations and Internal Disclosure Directorate’s investigations.

Site-Secure’s replacement will incorporate a business intelligence function for sophisticated trend analysis.

Recommendation 2:
The Assistant Deputy Minister, Departmental Oversight Branch should a) develop and implement standard operating procedures which cover the complete life cycle of a security investigation b) ensure that managerial reviews and quality assurance activities are performed to ensure established procedures are being adhered to.
Management Action Plan 2.1:

Developed incident management standard operating procedures and business process mapping for procedural fairness for the resolution of doubt and review for cause process.

  • Legal reviewed standard operating procedures and templates; comments are being integrated
  • All processes have been validated via a table-top exercise
  • Mapped/tested review for cause and resolution of doubt procedures for IT-linkage and automated process tracking related to Site-Secure’s replacement

As per the department’s policy suite renewal outlined above, all roles and responsibilities related to the life-cycle of a security investigation will be formalized. In the interim:

  • All Regional Security Chiefs are aware that all security incidents are reported to the Corporate Security Directorate, under the auspices of the Departmental Security Officer, via a General Occurrence Report, and all fact-finding activities to assess/initiate a formal administrative investigation must be coordinated by the directorate
  • Corporate Security Directorate holds a monthly teleconference with Regional Security Chiefs. This meeting is held to discuss security incidents and reinforce roles and responsibilities
  • Similar training/communications will be improved for roll out and reinforcement with the department’s 500 Unit Security Officers
Management Action Plan 2.2:

Managerial and Departmental Security Officer reviews/oversight have been incorporated into the standard operating procedures outlined above.

Upon the replacement of Site-Secure, managerial and Departmental Security Officer reviews and oversight will be incorporated as part of the business intelligence analytics.

Recommendation 3:
The Assistant Deputy Minister, Departmental Oversight Branch should develop, document and clearly communicate to Public Services and Procurement Canada employees their rights and responsibilities related to reporting security incidents, as well as, for participating in any security-related investigations.
Management action plan 3.1:

Intake channels for reporting security incidents were consolidated and last updated, April 2017, on Public Services and Procurement Canada’s website.

Investigations standard operating procedures include protocol for advising individuals of their rights, responsibilities as well as Privacy Act implications.

General Occurrence Report forms also point to applicable Personal Information bank. 

Legal has reviewed standard operating procedures and associated templates; we are currently integrating their comments.

Security awareness mandatory course will be updated to set at responsibilities for employees to report security related incidents.

Recommendation 4:
The Assistant Deputy Minister, Departmental Oversight Branch should a) develop and implement appropriate performance indicators and b) revise service standards to better reflect the nature and complexity of work now being performed by Common Security Services.
Management action plan 4.1:
Updated key performance indicators are being developed across all security service functions; in alignment with the new investigations standard operating procedures.
Management action plan 4.2:

Standard operating procedures for the investigative function now include a business process map, illustrating complexity and timelines. This will be integrated with Special Investigations and Internal Disclosure Directorate in order to capture the complete lifecycle of a security investigation from the intake of the incident to closure of the file.

The corporate security investigative function under Common Security Services was a temporary measure in November 2015 to address organizational concerns and management challenges. In December 2016, the unit was re-positioned under Corporate Security Directorate, the policy authority for investigative activities.

Recommendation 5:

As a result of significant security risks, the Assistant Deputy Minister, Departmental Oversight Branch should reconsider the use of the Site-Secure application as an information management tool for the investigation functions.

Should it be determined that the Site-Secure application remains the tool of choice, then the Assistant Deputy Minister should a) establish controls to ensure that information in Site-Secure application is appropriately secure to prevent unauthorized use, disclosure, modification, damage or loss of data and b) whether or not the application remains the tool of choice ensure that Common Security Services uses Government of Canada approved portable data storage devices when handling investigative information.

Management action plan 5.1:

Previously addressed and approved at the January 23, 2017 Audit and Evaluation Committee meeting.

All security risks deemed to be suitably mitigated, until Site-Secure is replaced.

Separate management action plan is in place to monitor.

About the audit

Authority

This engagement was initiated at the request of the Audit and Evaluation Committee in June 2015 as part of the Horizontal Audit of the Public Services and Procurement Canada Investigation Management Accountability Framework, to provide assurance on the effectiveness of the management controls and investigation practices within the department.

Objective

The objective of this audit was to determine whether selected elements of the Management Accountability Framework are in place and operating as intended to support the role performed by Common Security Services as it relates to security incidents.

Scope and approach

This audit looked at reported corporate security incidents from April 2 015 to November 2016 by focusing on the following types of incidents and investigations managed by Common Security Services: theft/loss of government property, vandalism, inappropriate use of government equipment and information technology assets, security breaches and violations.

Formal administrative investigations related to corporate security incidents conducted by Special Investigations and Internal Disclosure Directorate were excluded from the scope of this audit.

This audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing.

Interviews were conducted with key departmental personnel. Relevant Treasury Board of Canada Secretariat and Public Services and Procurement Canada documents were reviewed. We conducted file testing on a sample of 39, judgmentally selected reports, out of the 293 security incidents reported. Further, we completed a process walk-through and developed a security incident process flowchart. A compliancy scorecard was also used during the file testing. In addition, an on-site observation and a walk-through of the file management system were completed to support our findings.

Based on analysis of the information and evidence collected, we prepared audit findings and conclusions, which were validated with the appropriate managers. The report will be presented to the Assistant Deputy Minister, Departmental Oversight Branch for acceptance then tabled at the Audit and Evaluation Committee meeting to be recommended for approval by the Deputy Minister.

Criteria

The criteria used to assess the corporate security investigations carried out by Common Security Services were based on a risk assessment. The criteria focused on elements of the Management Accountability Framework that are considered to be relevant and important as they relate to the role played by Common Security Services to support the conduct of formal administrative investigations by Special Investigations and Internal Disclosure Directorate.

Specifically the audit examined:

  1. Authority, roles and responsibilities: Authorities, roles and responsibilities related to corporate security investigations are clearly defined, documented, communicated and applied:
    • Authorities, roles and responsibilities related to preliminary review and the initiation of formal administrative investigations for corporate security incidents are clearly defined, documented, communicated and applied
  2. Processes and procedures: Processes and procedures related to preliminary review and the initiation of security investigations are established and consistently applied to ensure compliance with applicable policies and legislation:
    • Processes and procedures are formally established for corporate security preliminary review and the initiation of formal administrative investigations which are consistent with applicable federal government policies and legislations
    • Processes and procedures provide the necessary guidance to stakeholders to appropriately execute their duties
    • Processes and procedures are being followed to ensure that preliminary review and the initiation of formal investigations is being executed appropriately
  3. Quality assurance: Quality assurance activities are performed to support consistency and quality of security reports:
    • Quality assurance activities are conducted
  4. Human Resources: Human Resources are sufficient and appropriate to discharge responsibilities related to preliminary review and the initiation of security investigations:
    • A human resources plan is documented and includes the following elements:
      • analysis of current and future resource and competency needs
      • analysis of key positions and succession planning
  5. Performance monitoring and reporting: A monitoring approach is in place to assess actual performance against planned results in preliminary review and the initiation of security investigations, and to adjust course as required:
    • Appropriate performance indicators have been developed and used to track performance, with corrective measures taken, as appropriate
  6. Information management: Preliminary review and investigative records are maintained in accordance with policies and legislation:
    • Records of information are maintained and safeguarded in accordance with the requirements of legislation and policies

Audit work completed

Audit fieldwork for this audit was substantially completed on November 2016.

Audit team

The audit/review was conducted by members of the Office of Audit and Evaluation (and an audit consultant), overseen by the Director X (Internal Audit, Procurement Audit) and under the overall direction of the Chief Audit and Evaluation Executive.

The audit/review was reviewed by the quality assessment function of the Office of Audit and Evaluation.

Date modified: