Guideline for developing a security plan for safeguarding controlled goods

3.1 Access

To be in a position to examine, possess or transfer controlled goods.

3.2 Authorized individual

An owner or senior official of the organization who is identified as a business official and signed section H of the application for registration (PDF, 592KB) for that organization.

3.3 Controlled goods

Controlled goods are primarily goods, including components and technical data that have military or national security significance, which are controlled domestically by the Government of Canada and defined in the Schedule to the Defence Production Act. Controlled goods can be in the form of tangible items such as parts or components, printed material or electronic data.

3.4 Designated official

A business official or other employee of the organization who has been appointed by the authorized individual and has successfully completed the mandatory training for designated officials.

3.5 Examine

To consider in detail or subject to an analysis in order to discover essential features or meaning.

3.6 International student

An individual who is authorized by a study permit or by the Immigration and Refugee Protection Regulations to engage in studies in Canada and who is not an officer, director or employee of a company registered in the program.

3.7 Possess

Either actual possession, where the person has direct physical control over a controlled good at a given time, or constructive possession, where the person has the power and the intention at a given time to exercise control over a controlled good, either directly or through another person or persons.

3.8 Shall and must

A firm and bonding requirement.

3.9 Temporary worker

An officer, director or employee of a company registered in the program who is neither of the following:

• a Canadian citizen, ordinarily a resident in Canada
• a permanent resident, ordinarily a resident in Canada

3.10 Transfer

With respect to a controlled good, to dispose of it or disclose its content in any manner.

3.11 Visitor

An individual, other than an international student, who is not an officer, director or employee of a company registered in the program who is neither of the following:

• a Canadian citizen, ordinarily a resident in Canada
• a permanent resident, ordinarily a resident in Canada

4.1 Development and implementation

A security plan must be developed and implemented for each place of business in Canada where controlled goods are kept. A unique security plan can be developed and implemented for each place of business; or, you may elect to complete a single security plan that will cover all registered sites. If a single security plan is chosen, the company must ensure that the procedures used to safeguard the controlled goods collectively reflect the conditions at all sites. This may require separate sections within the security plan to reflect the conditions and procedures for individual sites.

4.2 Risk assessment and management

Companies are uniquely placed to assess and manage the risk towards the controlled goods in their possession. Risk is based on actual or possible threats against the controlled goods. Some examples are, but not limited to:

• criminal activity near the site (a high number of break and enter occurrences may be a cause to enhance physical security measures)
• location of the site (in a rural or urban area) and proximity to police or security services
• the type of controlled goods kept at the site

4.3 Required measures

The following measures must be included in the security plan:

• description of the responsibilities of the company’s security organization and identity of the individuals who are responsible for the security of controlled goods
• procedures used to control the examination, possession and transfer of controlled goods
• procedures for reporting and investigating security breaches in relation to controlled goods
• content of training programs given to officers, directors, employees and temporary workers
• content of security briefings given to visitors

4.4 Varied content

A security plan template can be found at the end of this guideline. The security requirements and the content of a security plan will inevitably differ from one company to another. The security plan template may therefore be amended as required in order to reflect the type of controlled goods, physical conditions at the site and the company’s procedures to safeguard the controlled goods, while ensuring that all required measures have been included.

Refer to section 7. Security plan template

4.5 Maintenance and application

A security plan must be developed and maintained, and must also be effectively applied throughout the period of registration.

5.1 Legal name of the company

The security plan must identify the company by its legal name. Business and operational names may also be added as a secondary form of identification.

5.2 Site address

The complete civic address of each site where controlled goods are kept must be incorporated into the security plan. Post Office Box (P.O. Box) addresses do not constitute a civic address.

5.3 Security organization

The company’s security organization must include the key positions tasked with safeguarding the controlled goods and identify the persons responsible. The security organization must include the identities of the authorized individual and the designated official(s).

5.4 Responsibilities of the security organization

The responsibilities of each member of the security organization must be outlined. The responsibilities of the authorized individual and the designated official(s) are listed in the security plan template. Additional responsibilities may be outlined as deemed appropriate for the organization.

5.5 Additional responsibilities

Additional responsibilities for the safeguarding of controlled goods may include, but are not limited to, the identity of the person/position that is responsible for:

• maintaining a record of the transfer and disposal of controlled goods. This record must identify a description of:
  • any controlled goods received, the date of their receipt and an identification of the company from which they were transferred
  • any controlled goods transferred, the date of the transfer and the identity and address of the company to whom they were transferred
  • the manner and date of disposition of the controlled goods
• providing training with respect to the secure handling of controlled goods to officers, directors, employees, temporary workers and international students who are authorized to possess, examine or transfer controlled goods
• collecting evidence of an individual’s status as a director, officer or employee of a company that is registered to access controlled goods under the International Traffic in Arms Regulations when that person is visiting for the purpose of examining, possessing or transferring controlled goods

5.6 Procedures to monitor the controlled goods

This section is used to describe how the controlled goods are safeguarded from unauthorized examination, possession or transfer. The following information must be included in this section:

• a brief description of the controlled goods and how the company is working with the controlled goods. For example, the controlled goods may be technical data and drawings, components or the assembled item
• the procedures which identify how the controlled goods are received, kept and transferred. A list of proposed procedures is provided in the security plan template

5.7 Breaches

Describe the procedures and investigative steps that the company will follow in the event of a security breach, or a suspected security breach, involving controlled goods. Define what constitutes a security breach: theft; loss; unauthorized examination, possession or transfer; willful damage and tampering with controlled goods; are some examples. The program must be advised within 3 days upon discovery of a potential security breach involving controlled goods. The required steps to be included in the security plan are provided in the security plan template.

5.8 Training

All officers, directors, employees, temporary workers and international students shall undergo initial training prior to accessing the controlled goods. This training must take into account the content of the security plan and establish:

• an understanding of the definitions of examine, possess and transfer, and how they relate to the safeguarding of controlled goods
• familiarity with the procedures for safeguarding the controlled goods
• familiarity with the procedures for reporting any potential security breaches involving controlled goods
• refresher training that will consist of an annual review of the abovementioned training

5.9 Security briefings

Describe the procedure for briefing visitors who are visiting the site for the purpose of examining, possessing and transferring controlled goods. The following statements must be included:

• visitors who have received registration exemption from the program must be reminded of any limitations that may be imposed on the exemption certificate as well as any conditions that may be imposed by the company
• visitors who have not received registration exemption from the program must be informed that they will not be allowed to examine, possess or transfer controlled goods in the course of their visit

6.1 Review and update

The security plan is a living document. It must be reviewed on a regular basis, and updated as required to reflect any changes to the conditions at the site as well as changes in requirements imposed by the program. It must be made available to all officers, directors, employees and temporary employees, who are in a position to examine, possess or transfer controlled goods.

6.2 Integration into existing plans

The contents of the controlled goods security plan may be incorporated into an existing security plan provided that the requirements contained in this guideline are included.

6.3 Application period

The company must ensure that the security plan is effectively applied throughout the period of registration.

6.4 Final approval

Final approval of the security plan will occur during a compliance inspection. The inspector will review the plan to ensure that it meets the requirements of the Controlled Goods Regulations and that the plan’s procedures match the conditions at all places of business, whether collectively or individually by site.