Annex A: Guidelines on company security officer and alternate company security officer responsibilities

Document navigation for "Contract Security Manual"

Use this annex in conjunction with the Contract Security Manual (CSM).

On this page

  1. General responsibilities for company security officers and alternate company security officers
  2. Document safeguarding capability responsibilities
  3. Official contact with Public Services and Procurement Canada
  4. Security briefings
  5. Security awareness content
  6. Security violations, breaches and compromises
    1. Security incidents
    2. Security breaches
    3. Changes in behaviour
    4. Changes in circumstances
    5. Suspicious contacts and security incidents
    6. Organizational changes
    7. Classified contracts from foreign entities
  7. Reporting
  8. Investigations

I. General responsibilities for company security officers and alternate company security officers

When the organization holds a designated organization screening (DOS) or a facility security clearance (FSC), the company security officer (CSO) and alternate company security officer (ACSO) sign an acknowledgement and undertaking form that provides a list of their obligations. Except where indicated, the CSO and ACSO are responsible for:

  1. appointing, briefing and training all ACSOs (CSO responsibility)
  2. designating one appointed ACSO to be the CSO in their absence (CSO responsibility)
  3. reviewing the security requirements in the contract security requirements checklist (SRCL) or contract security clauses and ensuring that all requirements are followed
  4. obtaining approval from Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP) before awarding a subcontract with security requirements
  5. submitting personnel security screening requests for all ACSOs and key senior officials (KSO) to the highest level of access required
  6. submitting personnel security screening requests for employees of their organization who require access to protected and classified information, assets, or worksites
  7. verifying identity of employees through evidence of identity and validating details related to date of birth, address, education, professional qualifications, employment history, travel and personal character references
  8. coordinating subject interviews with employees, when required
  9. submitting requests for personnel security screening updates and upgrades, when required
  10. conducting security briefings for employees after they receive a security clearance or reliability status and completing the Security screening certificate and briefing form
  11. briefing employees on their responsibility to protect North Atlantic Treaty Organization (NATO) classified information and having them sign the acknowledgement form provided by PSPC’s CSP and return the signed forms by email
  12. retaining signed briefing forms on file
  13. limiting access to protected and classified information, assets or worksites to only personnel who have the proper security screening and who have a need-to-know
  14. maintaining an up-to-date list of security screened CSOs, ACSOs, KSOs and employees
  15. safeguarding personnel security screening files
  16. submitting the Security screening certificate and briefing form to terminate the reliability status or security clearance of employees who no longer require access to protected and classified information, assets or worksites
  17. coordinating with client's security representative to brief employees working at client sites on any relevant security requirements
  18. completing requests for visits
  19. informing PSPC’s CSP of any changes in the organization's legal status, corporate structure, ownership and changes to the list of KSOs
  20. promptly informing PSPC’s CSP before any physical move or new construction
  21. documenting and reporting to PSPC’s CSP any changes of circumstance or behaviour of security screened personnel and ACSOs (Chapter 4: Security screening of this manual) of this manual
  22. documenting and reporting to PSPC’s CSP any persistent or unusual contact or attempts from another individual to gain access to sensitive information, assets or a facility without proper authorization
  23. ensuring that approved visits are properly logged
  24. promptly informing PSPC’s CSP of any classified contracts and sub-contracts from and to foreign entities
  25. promptly informing PSPC’s CSP following any damage to classified information and assets
  26. completing essential training offered by PSPC’s CSP, which includes classroom training and online videos and webinars

II. Document safeguarding capability responsibilities

In addition to the above responsibilities, if the organization also has document safeguarding capability, the CSO and ACSO are also responsible for:

  1. preparing security orders and briefing all personnel who have access to protected and classified information and assets on their security responsibilities by implementing an effective security awareness program
  2. appointing, when required, an information technology (IT) corporate security coordinator
  3. coordinating with the Communications Security Establishment (CSE) to appoint, when required, communication security (COMSEC) and alternate COMSEC custodians
  4. ensuring that all protected and classified information and assets are safeguarded and handled according to the provisions of the CSM (Chapter 6: Handling and safeguarding information and assets of this manual) and contract-specific clauses
  5. annually updating the inventory of protected and classified information and assets
  6. notifying PSPC’s CSP of all security violations for direction before investigating
  7. notifying PSPC’s CSP immediately of any significant incident or compromise, and submitting a written report. Investigations of breaches or compromises will be coordinated by PSPC’s CSP
  8. establishing a registry to log and control access to classified information
  9. briefing hand-carriage couriers as per the courier certificates provided by the PSPC’s CSP

III. Official contact with Public Services and Procurement Canada

The CSO is the official contact with PSPC’s CSP to address and coordinate security issues. Communication with PSPC’s CSP, whether written or oral, should be limited to the CSO, ACSO(s), or the chief executive officer of the organization.

IV. Security briefings

To ensure proper security in the organization, the CSO works closely with management, from the top down, to conduct a security education and aftercare program. Inadequate security may result in the loss of an organization’s DOS or FSC and the cancellation of contracts involving protected or classified information and assets.

The CSO and security staff are not solely responsible for an organization's security. Managers and supervisors, at all levels, and KSOs are responsible for their own personal security measures in addition to ensuring that proper security procedures are followed by all employees in the organization. PSPC’s CSP recommends that performance assessments include a measure of the individual's security effectiveness, just as they include other organizational assessments.

An initial security briefing, reinforced by an ongoing security education and awareness program, is essential to maintaining an effective security program. Ultimately, the success of a security program depends on the employees of the organization. Procedures, regulations and physical safeguards are more effective if employees are fully aware of their individual responsibilities and the importance of the security requirements, along with the necessity for these security requirements.

The Security screening certificate and briefing form, which each person reads and signs when receiving their reliability status or personnel security clearance, is an acknowledgement of their responsibilities. It must be accompanied by a briefing from the CSO, detailing the individual’s specific responsibilities and duties regarding security in the facility holding a DOS or FSC. The completed and signed form must be kept in the employee’s personnel file.

New employees, even though not yet security-screened and therefore prohibited from knowledge of or access to protected/classified information, assets, and secure sites, should be given a security briefing appropriate to their duties. Security in the private sector includes requirements for corporate security, as well as safeguarding government protected and classified information and assets.

Ongoing security education

Ongoing security education and awareness may contain many forms of instruction including, but not limited to:

  • general briefings to all employees
  • smaller, group briefings
  • movies/videos
  • articles in an organization's newsletter(s)
  • security bulletins
  • posters
  • specific training for employee supervisors regarding aftercare of all security assessed employees

Assistance with training sessions is available by emailing PSPC’s CSP at tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca.

V. Security awareness content

Each organization's security education and awareness program must be tailored to the situation and needs of the specific facility holding a DOS or FSC with a DSC. The organization is required to develop a document that guides and directs employees on the security measures to be implemented in the organization. It should be based on the CSM; however, the organization should not reproduce the CSM in its entirety. The security orders should be developed for the specific facility holding the DOS or FSC.

Suggested topics for including in the security orders

  • The CSP and its requirements
  • Security references
  • Security organization
  • Level of DOS or FSC
  • Handling and safeguarding information and assets:
  • Personnel security screening
  • Procedure for persons terminating employment
  • Security education and awareness
  • Physical security
  • Access controls
  • Intrusion alarms
  • Emergencies
  • Special international requirements, including NATO requirements
  • Security incidents
  • Procedures for unclassified and classified visits
  • Contract security requirements
  • Foreign contract security requirements
  • Information technology security
  • United States / Canada Joint Certification Program
  • Where to obtain security information
  • List of abbreviations and acronyms
  • List of definitions

VI. Security violations, breaches and compromises

Organizations must establish a procedure to identify and investigate suspected or confirmed security incidents, breaches or compromises. CSOs are also responsible for recording any changes in behaviour or circumstances related to individual employees, or a suspicious contact from another person. These instances must be properly recorded and reported to PSPC’s CSP.

Any incidents must be recorded on a completed security incident report, ensuring no classified information is included, and emailed to PSPC’s CSP at ssidsicdieenquetes/.isscisdiidinvestigations@tpsgc-pwgsc.gc.ca. Any changes in behavior of your screened personnel must be promptly reported by email to ssidivisiondesenquetes.issinvestigationsdivision@tpsgc-pwgsc.gc.ca. Further information is available on PSPC’s CSP Reporting security incidents and changes in circumstances and behaviours webpage.

The CSO can prevent security incidents by creating awareness in the organization by:

Security incidents

A security incident is an alert that a breach of security may be taking place or may have taken place. It is an act, event or omission that could result in the compromise of information, assets or services. This may include:

  • leaving a protected file out on a desk unattended
  • misplacing a laptop computer that contains secure information
  • suspicious contact from someone who may be trying to gain sensitive information from you

Security breaches

A security incident that leads to a confirmed compromise of the confidentiality, integrity, or availability of information and assets is considered a security breach.

A breach is an act, event or omission that results in the compromise of sensitive information or assets. This means that there has been unauthorized access, disclosure, destruction, removal, modification, use or interruption of protected and classified information and assets.

Changes in behaviour

Unusual behaviour in security screened individuals that may be cause for security concern must be reported to the CSO or ACSO. They may include but are not limited to:

  • drug or alcohol misuse
  • expressions of support for extremist views, actions or incidents, particularly when violence is advocated
  • unexplained hostile behaviour or communication
  • unexplained frequent absences
  • indications of fraudulent activity
  • disregard for safeguarding sensitive information or assets (such as repeated security violations or breaches)
  • unexplained affluence or extreme financial distress
  • persistent or unusual interest in or attempts to gain access to sensitive information, assets or facilities to which an individual has no work-related need to access

A CSO who becomes aware or has reasonable and probable grounds to suspect that an employee has a change of circumstances or behaviour that may be cause for security concern must forward a complete report of the change of circumstances PSPC’s CSP. The CSO may also deny that individual access to protected and/or classified information and assets until the situation is resolved.

Changes in circumstances

All individuals are required to report information related to a change of personal circumstances that may affect their reliability status or security clearance. At a minimum, individuals are required to report any:

  • change in criminal record status (criminal conviction, suspension of a criminal record or other judicial prohibitions)
  • involvement with law enforcement (such as being the subject of a criminal investigation, being charged or arrested)
  • association with criminals
  • legal name changes based on marriage or divorce
  • significant change in financial situation (such as bankruptcy or unexpected wealth)

Suspicious contacts and security incidents

Persistent or unusual contact from another individual to obtain access to protected or classified information, assets or a facility without proper authorization must be documented, investigated and reported. As CSO, you must ensure that access to information and assets is limited to employees who:

  • are security screened and have been briefed on their security responsibilities and have acknowledged these responsibilities in writing
  • need to access and know information in order to perform their duties, referred to as a need-to-know (the intended recipient must have access to perform his or her official duties)

If an organization has sensitive government information or assets at any of its worksites, the CSO or ACSO must remain even more aware of suspicious behaviours and be ready to report these to PSPC’s CSP.

Organizational changes

A CSO or ACSO who becomes aware of any changes in the organization's legal status, corporate structure, ownership or changes to the list of KSOs must promptly inform PSPC’s CSP of these changes to start a review of the registration and organizational screening.

Classified contracts from foreign entities

A CSO or ACSO who becomes aware of any classified contracts or sub-contracts awarded to the organization from a foreign government, foreign industry or international organization must promptly inform PSPC’s CSP to ensure these contracts do not create additional risk to contracts awarded by the Government of Canada, and to ensure the protection of the foreign classified information is in accordance bilateral security instruments administered by PSPC’s CSP.

VII. Reporting

All clearance holders must report known or suspected security incidents to the CSO. If the CSO believes a security breach has taken place, they are responsible for:

Upon receiving an incident report, the CSO must immediately conduct a preliminary inquiry to determine all of the circumstances and report the incident to PSPC’s CSP within 24 hours. When the results of the preliminary inquiry indicate a suspected or actual breach of information and assets, the CSO must immediately notify PSPC’s CSP. PSPC’s CSP will conduct an investigation of the incident to determine the cause and recommend corrective measures and controls for the CSO to implement to prevent or minimize the possibility of future similar incidents.

Records should be kept by the organization for a period of 2 years following the incident and are subject to inspection by the PSPC’s CSP field industrial security officer (FISO).

Find out information for Reporting security incidents and changes in circumstances and behaviours.

Note

Most attempts to collect sensitive information or intelligence are subtle and often appear harmless. These can occur during social events, over the internet or during official meetings held domestically or abroad.

At a minimum, the CSO or ACSO must report the following situations to PSPC’s CSP:

VIII. Investigations

PSPC’s CSP will conduct investigations of organizations in cases of non-compliance and for security breaches and/or violations as indicated above.

Procedures

  1. When a security incident or breach occurs, the CSO must notify PSPC’s CSP officials and, when required, notify the organization’s client department immediately before conducting an internal inquiry. The CSO must then submit a security incident report to PSPC’s CSP identifying the type of occurrence and details of the incident or the security breach, ensuring no classified information is included
  2. After completing the investigation, PSPC’s CSP will notify the CSO of any corrective action and mitigation measures to be taken
  3. Failure to implement corrective actions could result in a suspension or revocation of an organization’s security clearance status and personnel security clearances. Before doing so, the following steps will be taken:
    1. PSPC’s CSP will send a warning letter to the CSO to begin a 30-day period within which the necessary corrective measures must be implemented and verified
    2. If the CSO does not comply with this request, PSPC’s CSP will send a letter of intent to revoke to the CSO outlining the reasons for the revocation and giving an additional 30-day period to respond
    3. If the CSO does not respond to the letter of intent to revoke by the expiration of this additional 30-day period, PSPC’s CSP will send a revocation letter via registered mail

Further information is available on PSPC’s Reporting security incidents and changes in circumstances and behaviours webpage.

Document navigation for "Contract Security Manual"

Date modified: