Audit of physical security - report summary
May 1, 2018
Table of Contents
Background
Global Affairs Canada (GAC) is operating in complex and challenging security environments and the Departmental Security Plan 2017-18 identified operational and physical security abroad as the first security priority. The Department manages Canada's network of 179 missions in 109 countries around the world and hosts 37 partner organizations located in the missions, including federal departments and agencies and co-locators. Domestically, GAC maintains 12 Headquarters (HQ) facilities in the National Capital Region and five regional offices across Canada. Under the Treasury Board of Canada's Policy on Government Security, GAC is responsible for arranging and coordinating physical security for Government of Canada employees and assets housed at Canadian diplomatic and consular missions abroad.
Based on this information, the audit team conducted a preliminary analysis and risk assessment and determined that an audit of physical security would be an appropriate and relevant area of examination. To address these risks, the Department is guided by Treasury Board policy instruments, including the Operational Security Standard on Physical Security. The audit team also reviewed relevant physical security guidelines and best practices. These include physical security guidelines developed by the Royal Canadian Mounted Police and some principles guidelines from ASIS International, a global community of security practitioners, for the protection of assets, people, property, and/or information.
Audit objective
The objective of the audit is to provide reasonable assurance that Global Affairs Canada has a complete and appropriate physical security management control framework in place to support the Department's Security Priorities, in line with the relevant Treasury Board policies, directives and operational standards related to physical security. The audit included an assessment of the following areas domestically and at missions:
- Roles, responsibilities and accountabilities with regard to physical security;
- Physical security risk management processes and practices;
- Physical security operational standards and plans;
- Physical restrictions and access to facilities, information, and assets; and
- Monitoring and reporting practices regarding physical security.
Audit scope
The audit assessed the Department's physical security function for FY 2015-16 and FY 2016-17, and the period from April 1, 2017 to January 31, 2018. During the same period, the Office of the Auditor General (OAG) was also conducting an audit on physical security. The OAG is collaborating with Global Affairs Canada's Office of the Chief Audit Executive to the greatest extent possible to leverage the work completed to date and minimize overlap. Furthermore, GAC's Office of the Inspector General – Evaluation Division conducted an evaluation on mission security that was reported in 2016. This audit does not include what was covered by the evaluation in order to reduce duplication of effort.
The audit team examined documents, conducted interviews with departmental officials, and assessed security of premises at HQ and Missions. Specifically, the audit team conducted over 70 group and individual interviews with employees involved in physical security across the Department at HQ and Missions. The audit team visited missions abroad. It also leveraged audit work performed by other internal teams for four missions. Finally, the audit team conducted audit work from HQ for two missions.
Observed strengths
The following strengths were identified during the audit. The Department:
- Has put in place a governance structure to prioritize security projects;
- Conducts site specific Vulnerability Assessments to identify physical security risks, both at domestic locations and missions abroad;
- Has established a series of physical security standards to ensure that departmental information, assets, and services are protected when designing, deploying or upgrading physical security safeguards abroad;
- Has developed and implemented Mission Emergency Plans and Local Security Standing Orders that adequately reflect the current threat environment; and
- Has created systems to track security incidents and to collect and analyse security information
Findings
Based on a combination of the evidence gathered through the examination phase of documentation, analyses, interviews, and process walkthroughs, each audit criterion was assessed. Where a significant difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop a conclusion and to document five (5) recommendations for improvement.
Observations were noted and recommendations were made in the following areas during the audit:
- Governance structure and oversight
- Roles and responsibilities
- Implementation of physical security measures
- Monitoring and reporting
Conclusion
The audit team concludes that Global Affairs Canada has a complete and appropriate physical security management control framework in place to support the Department's Security Priorities, generally in line with the relevant Treasury Board policies, directives and operational standards related to physical security.
Areas of improvement revolve around a better coordination and engagement between all the key stakeholders in order to fully integrate security considerations into the process of planning, selecting, designing, modifying, building, implementing, operating and maintaining facilities and equipment.
Statement of conformance
ln my professional judgment as Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.
Criteria | Sub-criteria |
---|---|
1. Roles, responsibilities, and accountabilities with regard to physical security are clearly defined and communicated. | 1.1 The senior oversight committees have an effective decision making process in place. |
1.2 Processes, roles, responsibilities, and accountabilities of the Department’s physical security function are clearly defined, communicated and followed. | |
2. Risk assessments are conducted and adequate mitigation strategies and process are in place to support the Department’s physical security investment decisions. | 2.1 Threat and Risk Assessments (TRA) are conducted to identify physical security risks for each specific location, both domestically and abroad, and mitigation measures are developed accordingly. |
2.2 The risk assessment results are used to support the prioritization of physical security investment projects. | |
3. Complete and appropriate physical security framework is in place to support the Department’s security priorities. | 3.1 The HQ and the Mission Specific Security Plans have been developed, adequately reflects the current threat environment, and is implemented. |
3.2 Complete and appropriate operational security standards on physical security are in place to support the Department’s physical security strategies. | |
3.3 Complete and appropriate standard operational procedures (SOPs) are in place at missions and domestically. | |
3.4 Physical security strategies are developed taking into consideration cost vs risk factors. | |
4. Physical security measures or strategies are implemented to protect, detect, and respond to an unwanted event, both domestically and at missions. | 4.1 Protected and classified assets are safeguarded based on a clearly discernable hierarchy of zones. |
4.2 Assets, records, IT equipment, and information are protected from unauthorized access, disclosure, modification or destruction. | |
4.3 Procedures and controls are in place to ensure that security guards contracts are being appropriately implemented. | |
5. Physical security activities are monitored, analyzed, and reported, including events, incidents, and major initiative expenditures. | 5.1 Events and occurrences (incidents) for domestic and missions are tracked, collected, analyzed, investigated, and reported to senior management. |
5.2 Information on physical security activities, initiatives of the real property investment plans, and other major initiatives is collected, analyzed, and reported. |