Annex A: Guidelines on company security officer and alternate company security officer responsibilities

Document navigation for "Contract Security Manual"

Use this annex in conjunction with the Contract Security Manual (CSM).

On this page

  1. General responsibilities for company security officers and alternate company security officers
  2. Document safeguarding capability responsibilities
  3. Official contact with Public Services and Procurement Canada
  4. Security briefings
  5. Security awareness content
  6. Security violations, breaches and compromises
    1. Security incidents
    2. Security breaches
    3. Changes in behaviour
    4. Changes in circumstances
    5. Suspicious contacts and security incidents
    6. Organizational changes
    7. Classified contracts from foreign entities
  7. Reporting
  8. Contract Security Program compliance and enforcement guide

I. General responsibilities for company security officers and alternate company security officers

When the organization holds a designated organization screening (DOS) or a facility security clearance (FSC), the company security officer (CSO) and alternate company security officer (ACSO) sign an acknowledgement and undertaking form that provides a list of their obligations. Except where indicated, the CSO and ACSO are responsible for:

  1. appointing, briefing and training all ACSOs (CSO responsibility)
  2. designating one appointed ACSO to be the CSO in their absence (CSO responsibility)
  3. reviewing the security requirements in the contract security requirements checklist (SRCL) or contract security clauses and ensuring that all requirements are followed
  4. obtaining approval from Public Services and Procurement Canada’s Contract Security Program (CSP) before awarding a subcontract with security requirements
  5. submitting personnel security screening requests for all ACSOs and key senior officials (KSO) to the highest level of access required
  6. submitting personnel security screening requests for employees of their organization who require access to protected and classified information, assets, or worksites
  7. verifying the identities of employees through evidence of identity and validating details related to date of birth, address, education, professional qualifications, employment history, travel and personal character references
  8. coordinating subject interviews with employees, when required
  9. submitting requests for personnel security screening updates and upgrades, when required
  10. conducting security briefings for employees after they receive a security clearance or reliability status and completing the Security screening certificate and briefing form
  11. briefing employees on their responsibility to protect North Atlantic Treaty Organization (NATO) classified information and having them sign the acknowledgement form provided by the CSP and return the signed forms by email
  12. retaining signed briefing forms in the employee's file
  13. limiting access to protected and classified information, assets or worksites to only personnel who have the proper security screening and who have a need-to-know
  14. maintaining an up-to-date list of security screened CSOs, ACSOs, KSOs and employees
  15. safeguarding personnel security screening files
  16. submitting the Security screening certificate and briefing form to terminate the reliability status or security clearance of employees who no longer require access to protected and classified information, assets or worksites
  17. coordinating with client's security representative to brief employees working at client sites on any relevant security requirements
  18. completing requests for visits
  19. informing the CSP of any changes in the organization's legal status, corporate structure, ownership and changes to the list of KSOs
  20. promptly informing the CSP before any physical move or new construction
  21. documenting and reporting to the CSP any changes of circumstance or behaviour of security screened personnel and ACSOs (Chapter 4: Security screening of this manual)
  22. documenting and reporting to the CSP any persistent or unusual contact or attempts from another individual to gain access to sensitive information, assets or a facility without proper authorization
  23. ensuring that approved visits are properly logged
  24. promptly informing the CSP of any classified contracts and sub-contracts from and to foreign entities
  25. promptly informing the CSP following any damage to classified information and assets
  26. completing essential training offered by the CSP, which includes training in a virtual classroom setting, online videos and pre-recorded webinars

II. Document safeguarding capability responsibilities

In addition to the above responsibilities, if the organization also has document safeguarding capability (DSC), the CSO and ACSO are also responsible for:

  1. preparing security orders and briefing all personnel who have access to protected and classified information and assets on their security responsibilities by implementing an effective security awareness program
  2. appointing, when required, an information technology corporate security coordinator
  3. coordinating with the Communications Security Establishment (CSE) to appoint, when required, communication security (COMSEC) and alternate COMSEC custodians
  4. ensuring that all protected and classified information and assets are safeguarded and handled according to the provisions of the CSM (Chapter 6: Handling and safeguarding information and assets of this manual) and contract-specific clauses
  5. annually updating the inventory of protected and classified information and assets
  6. notifying the CSP of all security violations for direction before investigating
  7. notifying the CSP immediately of any significant incident or compromise, and submitting a written report. Investigations of breaches or compromises will be coordinated by the CSP
  8. establishing a registry to log and control access to classified information
  9. briefing hand-carriage couriers as per the courier certificates provided by the CSP

III. Official contact with Public Services and Procurement Canada

The CSO is the official contact with the CSP to address and coordinate security issues. Communication with the CSP, whether written or oral, should be limited to the CSO, ACSO(s), or the chief executive officer of the organization.

IV. Security briefings

To ensure proper security in the organization, the CSO works closely with management, from the top down, to conduct a security education and aftercare program. Inadequate security may result in the loss of an organization’s DOS or FSC and the cancellation of contracts involving protected or classified information and assets.

The CSO and security staff are not solely responsible for an organization's security. Managers and supervisors, at all levels, and KSOs are responsible for their own personal security measures in addition to ensuring that proper security procedures are followed by all employees in the organization. The CSP recommends that performance assessments include a measure of the individual's security effectiveness, just as they include other organizational assessments.

An initial security briefing, reinforced by an ongoing security education and awareness program, is essential to maintaining an effective security program. Ultimately, the success of a security program depends on the employees of the organization. Procedures, regulations and physical safeguards are more effective if employees are fully aware of their individual responsibilities and the importance of the security requirements, along with the necessity for these security requirements.

The Security screening certificate and briefing form, which each person reads and signs when receiving their reliability status or security clearance, is an acknowledgement of their responsibilities. The signing of the form must be accompanied by a briefing from the CSO, detailing the individual’s specific responsibilities and duties regarding security in the facility holding a DOS or FSC. The completed and signed form must be kept in the employee’s personnel file.

New employees, even though not yet security-screened and therefore prohibited from knowledge of or access to protected and classified information, assets, and secure sites, should be given a security briefing appropriate to their duties. Security in the private sector includes requirements for corporate security, as well as safeguarding government protected and classified information and assets.

Ongoing security education

Ongoing security education and awareness may contain many forms of instruction including, but not limited to:

  • general briefings to all employees
  • smaller, group briefings
  • movies and videos
  • articles in an organization's newsletter(s)
  • security bulletins
  • posters
  • specific training for employee supervisors regarding aftercare of all security assessed employees

Assistance with training sessions is available by emailing the CSP at tpsgc.ssidsicsensibilisation-isscisdoutreach.pwgsc@tpsgc-pwgsc.gc.ca.

V. Security awareness content

Each organization's security education and awareness program must be tailored to the situation and needs of the specific facility holding a DOS or FSC with a DSC. The organization is required to develop a document that guides and directs employees on the security measures to be implemented in the organization. It should be based on the CSM; however, the organization should not reproduce the CSM in its entirety. The security orders should be developed for the specific facility holding the DOS or FSC.

Suggested topics for including in the security orders

  • The CSP and its requirements
  • Security references
  • Security organization
  • Level of DOS or FSC
  • Handling and safeguarding information and assets
  • Personnel security screening
  • Procedure for persons terminating employment
  • Security education and awareness
  • Physical security
  • Access controls
  • Intrusion alarms
  • Emergencies
  • Special international requirements, including NATO requirements
  • Security incidents
  • Procedures for unclassified and classified visits
  • Contract security requirements
  • Foreign contract security requirements
  • Information technology security
  • United States / Canada Joint Certification Program
  • Where to obtain security information
  • List of abbreviations and acronyms
  • List of definitions

VI. Security violations, breaches and compromises

Organizations must establish a procedure to identify and investigate suspected or confirmed security incidents, breaches or compromises. Any incidents must be recorded on a completed Security incident report form for security officers, ensuring no classified information is included, and emailed to the CSP: ssidsicdieenquetes-isscisdiidinvestigations@tpsgc-pwgsc.gc.ca.

CSOs are also responsible for recording any changes in behaviour or circumstances related to individual employees, or a suspicious contact from another person. These instances must be properly recorded and reported to the CSP. Any changes in behavior of your screened personnel must be promptly reported by email: spac.dgsssidessn-dobissnssid.pspc@tpsgc-pwgsc.gc.ca. Consult the Security Screening Certificate and Briefing Form for more information.

The CSO can prevent security incidents by creating awareness in the organization by:

Security incidents

A security incident is an alert that a breach of security may be taking place or may have taken place. It is an act, event or omission that could result in the compromise of information, assets or services. This may include:

  • leaving a protected file out on a desk unattended
  • misplacing a laptop computer that contains secure information
  • suspicious contact from someone who may be trying to gain sensitive information from you

Security breaches

A security incident that leads to a confirmed compromise of the confidentiality, integrity, or availability of information and assets is considered a security breach.

A breach is an act, event or omission that results in the compromise of sensitive information or assets. This means that there has been unauthorized access, disclosure, destruction, removal, modification, use or interruption of protected and classified information and assets.

Changes in behaviour

Unusual behaviour in security screened individuals that may be cause for security concern must be reported to the CSO or ACSO. They may include but are not limited to:

  • drug or alcohol misuse
  • expressions of support for extremist views, actions or incidents, particularly when violence is advocated
  • unexplained hostile behaviour or communication
  • unexplained frequent absences
  • indications of fraudulent activity
  • disregard for safeguarding sensitive information or assets (such as repeated security violations or breaches)
  • unexplained financial affluence or extreme financial distress
  • persistent or unusual interest in or attempts to gain access to sensitive information, assets or facilities to which an individual has no work-related need to access

A CSO who becomes aware or has reasonable and probable grounds to suspect that an employee has a change of circumstances or behaviour that may be cause for security concern must forward a complete report of the change of circumstances to the CSP. The CSO may also deny that individual access to protected and/or classified information and assets until the situation is resolved.

Changes in circumstances

All individuals are required to report information related to a change of personal circumstances that may affect their reliability status or security clearance. At a minimum, individuals are required to report any:

  • change in criminal record status (criminal conviction, suspension of a criminal record or other judicial prohibitions)
  • involvement with law enforcement (such as being the subject of a criminal investigation, being charged or arrested)
  • association with criminals
  • legal name changes based on marriage or divorce
  • significant change in financial situation (such as bankruptcy or unexpected wealth)

Suspicious contacts and security incidents

Persistent or unusual contact from another individual to obtain access to protected or classified information, assets or a facility without proper authorization must be documented, investigated and reported. As CSO, you must ensure that access to information and assets is limited to employees who:

  • are security screened and have been briefed on their security responsibilities and have acknowledged these responsibilities in writing
  • need to access and know information in order to perform their duties, referred to as a need-to-know (the intended recipient must have access to perform his or her official duties)

If an organization has sensitive government information or assets at any of its worksites, the CSO or ACSO must remain even more aware of suspicious behaviours and be ready to report these to the CSP.

Organizational changes

A CSO or ACSO who becomes aware of any changes in the organization's legal status, corporate structure, ownership or changes to the list of KSOs must promptly inform the CSP of these changes to start a review of the registration and organizational screening.

Classified contracts from foreign entities

A CSO or ACSO who becomes aware of any classified contracts or sub-contracts awarded to the organization from a foreign government, foreign industry or international organization must promptly inform the CSP to ensure these contracts do not create additional risk to contracts awarded by the Government of Canada, and to ensure the protection of the foreign classified information is in accordance with bilateral security instruments administered by the CSP.

VII. Reporting

All clearance holders must report known or suspected security incidents to the CSO. If the CSO believes a security breach has taken place, they are responsible for:

Upon receiving an incident report, the CSO must immediately conduct a preliminary inquiry to determine all of the circumstances and report the incident to the CSP within 24 hours. If the results of the preliminary inquiry indicate a suspected or actual breach of information and assets, the CSO must immediately notify the CSP. The CSP will conduct an investigation of the incident to determine the cause and recommend corrective measures and controls for the CSO to implement to prevent or minimize the possibility of future similar incidents.

Records should be kept by the organization for a period of 2 years following the incident and are subject to inspection by the CSP field industrial security officer (FISO).

Learn more about Reporting security incidents and changes in circumstances and behaviours.

Note

Most attempts to collect sensitive information or intelligence are subtle and often appear harmless. These can occur during social events, over the internet or during official meetings held domestically or abroad.

At a minimum, the CSO or ACSO must report the following situations to the CSP:

VIII. Contract Security Program compliance and enforcement guide

The CSP will conduct assessments of organizations in cases of non-compliance and for security breaches and/or violations as indicated above.

Procedures

  1. When a security incident or breach occurs, the CSO must notify the CSP officials and, when required, notify the organization’s client department immediately before conducting an internal inquiry. The CSO must then submit a security incident report to the CSP identifying the type of occurrence and details of the incident or the security breach, ensuring no classified information is included.
  2. After completing the assessment, the CSP may suspend the organization immediately. The CSP will notify the CSO of any corrective action and mitigation measures to be taken. In case of an immediate suspension, the CSP will provide the organization an opportunity to demonstrate that they still meet the minimum requirements to maintain a valid organization security clearance.
  3. Failure to implement corrective actions if required could result in a suspension. If the company is suspended, failure to demonstrate that the organization still meets the requirements of the CSP, could result in a revocation of an organization’s security clearance status. When the company’s organization security clearance is revoked, the CSP will also administratively close all of their active personnel security screenings. Any personnel security screening requests that were pending, would have been closed by the CSP at the suspension stage.

For more information visit:

The following list is to help determine the reasons for suspensions and the length of revocations in cases where organizations security clearances are revoked.

Table 1: Reasons for suspensions within different length of revocations
Length of revocations Reason for suspension Description Disciplinary action Remarks
30 day suspension and revocation if unresolved Key people in the organization do not hold the required personnel security screenings The CSP’s inability to obtain and confirm the personnel security screening for CSOs, ACSOs, and KSOs. 30 day suspension. Revocation if unresolved. Organization will be suspended and given 30 days to submit the required information, otherwise, the organization will be revoked. The organization can be reinstated only after all personnel security screenings are confirmed for CSOs, ACSOs, and KSOs.
No physical location in Canada The inability of the organization to provide a valid proof of a permanent physical location and a principal place of business in Canada where the work is executed and where the business operates. 30 days suspension. Revocation if unresolved. The company can be reinstated if they provide proof of a physical location, deemed satisfactory by the CSP. A post office box will not be recognized as an organization’s address.
Refusal to grant access to a CSP representative The organization refusing to grant access to an authorized representative of the program to either, enter into its physical location, or to interview an identified key person of the organization. 30 day suspension. Revocation if unresolved. The company can either be reinstated or revoked depending on whether or not the company is deemed to be compliant with the CSP requirements.
Termination, suspension or revocation of key official’s personnel security screening Any termination, suspension or revocation of key personnel’s security screening, (for example, a KSO or CSO), that may impact the security status of the organization. 30 day suspension. Revocation if unresolved. Organization will be suspended and given 30 days to submit the required information. The organization can be reinstated when personnel security screenings are confirmed for CSOs and KSOs.
30 day suspension and revocation (<2 years) Security breach Personnel from the organization accessing protected or classified information or assets without the proper level of security screening or “need-to-know”. 30 day suspension. Revocation up to 2 years if unresolved. The type of information that was accessed and the resulting damage caused to the Government of Canada will determine the length of the revocation.
Unauthorized KSO accessing information KSOs of the organization, who have signed a KSO exclusion, accessing protected or classified information, assets, or sites. 30 day suspension. Revocation up to 2 years if unresolved. The type of information that was accessed and the resulting damage caused to the Government of Canada will determine the length of the revocation.
30 day suspension + revocation (<3 years) Providing false or misleading information The organization failing to provide accurate information to the program or any Government of Canada department, by way of either willful actions, or omissions as a result of neglect on the part of the organization which brings the trustworthiness or reliability of the organization into dispute. 30 day suspension. Revocation up to 3 years. The length of the revocation period will depend on the extenuating circumstances and may be higher for organizations who have previously committed offences documented by the CSP.
Criminal acts or convictions by key individuals Any criminal acts committed by CSOs, ACSOs or KSOs as a representative of the organization, while committing the act to benefit the organization or their standing in the organization. 30 day suspension. Revocation up to 3 years. The length of the revocation period will depend on the type of offence committed and the criminal conviction.
Acts of aggression Any aggressive behaviour such as shouting and using harsh language or harassment against the Crown, by KSOs, CSOs or ACSOs, which may be considered a breach of the anti-harassment provisions found in the Code of Conduct for Procurement.table 1 note 1 30 day suspension. Revocation up to 3 years. The length of the revocation period will depend on the extenuating circumstances and may be higher for organizations who have previously committed such offences documented by the CSP.
Failure to report changes to organization Failure to disclose changes to the organization which brings into question the trustworthiness or reliability of the organization or its contracts into dispute, including but not limited to changes in jurisdiction of registration, ownership, partners, bankruptcy, criminal convictions of the organization or of one of its owners, partners, officers or dissolution. 30 day suspension. Revocation up to 3 years. The length of the revocation period will depend on the extenuating circumstances and may be higher for repeat offenders.
30 day suspension + revocation (< 10 years) Criminal acts, charges or convictions committed by the organization Charges or convictions of offences such as, but not limited to, conspiracies, agreements or arrangements between competitors, bid rigging, bribery, extortion, forgery and other offences resembling forgery, fraudulent manipulation of stock exchange transactions, insider trading, falsification of books and documents, criminal breach of contract, secret commissions, overbilling, laundering proceeds of crime, participation in activities of criminal organization, foreign directives, false or misleading information, deceptive notice of winning a prize, false or deceptive statements regarding the Excise Tax and other offences to the Criminal Code including the Competition Act, Income Tax Act, Corruption of Foreign Public Officials Act, the Controlled Drugs and Substance Act and the Lobbying Act. 30 day suspension. Revocation up to 10 years. The length of the revocation period will depend on the extenuating circumstances and may be higher for repeat offenders.
Revocation Unmitigated high degree of foreign ownership and control influence (FOCI). The CSP’s inability to adequately mitigate risks associated with FOCI, on the Canadian organization. FOCI refers to a situation where a company operating within a country’s jurisdiction is subject to significant influence, control, or ownership by foreign entities. A high degree of FOCI can pose risks to national security interests, as it may lead to unauthorized access to sensitive information or influence over critical decisions. Revocation. The revocation will be permanent unless the CSP can adequately mitigate the risks associated to FOCI.

In the event that the CSP determines that the organization is not in compliance with the CSP (including but not limited to the above-listed circumstances), it may suspend the organization’s security clearance and submit a letter to the organization advising it of the outcome of the assessment. Should the organization not make satisfactoryFootnote 1 amends in order to be in compliance with the CSP within 30 calendar days of being suspended, the organization’s security clearance may be revoked.

Document navigation for "Contract Security Manual"

Date modified: