Reporting security incidents
If you believe that sensitive government information or assets have been accessed without permission, you are required to report the incident to the Contract Security Program. Find out how, when and where to report security incidents.
A security incident is an alert that a breach of security may be taking place or may have taken place. It is an act, event or omission that could result in the compromise of information, assets or services. This may include:
- leaving a protected file out on a desk unattended
- misplacing a laptop computer that contains secure information
- suspicious contact from someone who may be trying to gain sensitive information from you
Organizations must establish procedures to ensure that suspected or confirmed security incidents are immediately identified, investigated and reported to the program.
How to report a security incident
Security incidents must be reported to the company security officer. The company security officer will conduct a preliminary inquiry, keep a written record and report incidents to the Contract Security Program.
Complete the security incident report for company security officers and alternate company security officers
The preliminary inquiry will answer the following questions:
- where and when did the incident occur?
- who reported it, to whom, and when?
- what information or asset was involved?
- what was the security marking and description of the information or asset involved?
- who was the originator of the information or asset?
- for how long and to whom was the information or asset vulnerable to unauthorized access?
- what actions were taken to secure the information or asset and limit the damage?
- is any information or asset lost or unaccounted for?
- what are the recommendations to prevent the incident from reoccurring?
Submit either the completed incident report or an email to the Investigations Division of the Contract Security Program at the following address: email@example.com.
Do not submit protected and classified information with your report or by email. When submitting either your security incident report or email, clearly indicate in your message whether you must submit sensitive information as part of the incident reporting. The investigator assigned to the file will then contact you to make the necessary arrangements to obtain these documents.
If you suspect a criminal act has been committed, contact your local police service.
A security incident that leads to a confirmed compromise of information and assets is considered a security breach.
A breach is an act, event or omission that results in the compromise of sensitive information or assets. This means that there has been unauthorized access, disclosure, destruction, removal, modification, use or interruption of protected and classified information and assets.
How to report a security breach
In the event of a security breach, the company security officer must take the following steps, document them in a security incident report and forward it to the program:
- report breaches immediately to the program. Complete the security incident report for company security officers and alternate company security officers
- complete an investigation of the incident by determining the cause of the incident
- take corrective measures and implement controls to prevent or minimize the possibility of future similar incidents
A security contact happens when the representative of a group communicates with you to access national security information for which they do not have a need-to-know.
A security contact can occur during official or social circumstances, in or outside of Canada.
A security contact may come from:
- a foreign country of interest
- an extremist or subversive group
- a criminal group
- a political, commercial or issues-motivated group or individual, including the media
These groups or individuals use considerable resources to obtain access to national and defence information, weapons or other military assets. Their efforts could involve targeting a person or their family and friends.
Awareness is vital: If you have regular contact with representatives of foreign or other groups in or outside of Canada, then you are required to report this to your company security officer or alternate company security officer.
Why you may be targeted
Employees of organizations registered with the program could hold information that is highly sought after by foreign representatives. Information collected by these people and groups could be a threat to you, your organization and our national security.
You must report a suspicious contact so it can be assessed to:
- allow early identification of the threatening activity
- determine the extent of the threat
- alert the authorities responsible for the development of appropriate countermeasures
When to report a contact
Your organization must report suspicious contacts as soon as they happen to allow prompt assessment and appropriate action.
Consider the following questions:
- was the encounter with a foreign national?
- did you feel uncomfortable with the line of questioning?
- was the questioning persistent?
- did anything happen that appeared suspicious or caused you concern?
If the answer to any of the above questions is yes, then you should immediately report the suspicious contact to:
- the program through your company security officer or alternate company security officer
- local police
- Canadian Security Intelligence Service
Third party reporting
Third party reporting is a vital assistance to the federal government in identifying inappropriate contacts.
The company security officer must ensure that incidents of this nature are reported to the program. They may also need to contact other parties, depending on the severity of the concern. The program treats third party reports in the strictest confidence.
How to report a security breach or security contact
If you suspect a security breach or security contact, you must: contact the Contract Security Program.
You may also need to contact the following authorities to report:
- an immediate threat to national security, contact either:
- 911 (your local police department)
- the Royal Canadian Mounted Police (RCMP) National Security Information Network
- a non-immediate threat to national security, contact, consider reporting national security information to the Canadian Security Intelligence Service
- suspected criminal activities, contact either:
- your local law enforcement organization
- the RCMP National Operations Centre
- secure fax:
How the program investigates a security breach
The program conducts administrative investigations into security breaches.
Some examples of security breaches include:
- violation of the Policy on Government Security or the Industrial Security Manual
- access to protected or classified information or assets by a person or an organization who does not have the required clearance
- criminal activity
- information technology security incidents
The program will investigate security violations of protected and classified information and assets, such as:
- failure to handle and safeguard in accordance with the Industrial Security Manual
- unauthorized modification, retention, destruction, or removal
- unauthorized interruption of the flow of information
Our investigator will:
- assess the scope of the incident
- advise the company security officer on the safeguarding of the information or asset
- investigate allegations
- provide a report outlining corrective actions
- make recommendations to prevent further breaches
Role of the company security officer
If the company security officer believes a security incident has taken place, they are responsible for the following:
- reporting it to the program
- completing a written report of the security concern
- suspending access to sensitive information and assets until the program has completed the investigation
The company security officer can prevent security incidents by creating awareness in the organization. How? By:
- informing employees of their security responsibilities and making them aware of security concerns, threats and risks
- conducting regular checks to make sure employees are respecting security procedures and practices
- increasing employee awareness through security awareness orientation and training
- sharing information on the organization's security procedures and best practices
- posters, banners, newsletters, videos and presentations are all practical ways to get the message across
- Date modified: