GCPSG-015 (2024)
Guide to the Application of Physical Security Zones

1.1. Purpose

The physical environments of facilities can be designed and managed to reduce the risk of unwanted events/incidents. Zoning is one such component which if implemented effectively can help reduce the risk of security events and help safeguard the confidentiality, availability and integrity of GC information, assets and people. While physical security zones are important security features, they should not be considered as a means to completely eliminate security risk, nor should it be considered as the only method to address risk. Instead, physical security zones should be viewed as an integral component of a GC department or agencies overall security risk management strategy.

1.2. Applicability

This guide is specific to the GC controlled facilities and should not be used to determine zoning for Remote/Telework location. This guide does not detail the security requirements for a remote/telework environment, for those guidelines refer to GCPSG-008 - Physical Security Considerations for Remote and Telework Environments.

All GC departments and agencies are responsible for safeguarding employees, assets, and service delivery within their area of responsibility. As it pertains to physical security zones, the Directive on Security Management (DSM), Appendix C, section C.2.3.2 “Implement measures to ensure that access to information in physical form, government facilities and other assets, including sensitive equipment, telecommunications cabling and information systems, is restricted to authorized individuals who have been security-screened at the appropriate level and who have a need for access”. Similarly, GCPSG-010 - Operational Physical Security Guide (Section 6.2 - Hierarchy of Zones) states that “departments should ensure that access to and safeguards for protected and classified assets are based on a clearly discernable hierarchy of zones”.

The guidance provided in this document should be considered the baseline requirements for physical security zoning. GC departments and agencies are responsible for validating these requirements against their own security needs. This guide should be used in conjunction with a Threat and Risk Assessment (TRA) in order to develop an effective physical security zoning strategy for each facility, and should be used to support decision making for zone selection. GC departments and agencies are responsible for the implementation of this guideline and may contact the RCMP LSA to discuss the content, review additional physical security guides in support of the materials discussed in this guide, and/or for assistance with safeguard suggestions above baseline threats based on the results of a TRA. Other RCMP LSA guides may be required to assess specific security situations and are available at Lead Security Agency for Physical Security.

1.3. Equity, Diversity, and Inclusion in physical security systems

All employees of the Government of Canada (GC) have a responsibility to safeguard persons, information and assets of the GC. It is important that security policies and practices do not serve as barriers to inclusivity, but instead support and respect all GC personnel while ensuring appropriate security measures are maintained for the protection of GC personnel, assets, and information.

Initiatives to promote equality and inclusion among the diverse communities and heritages within the GC, should be respected in the development and maintenance of physical security systems. Departments and agencies should follow all GC legislation, policy and directives on Equity, Diversity, and Inclusion (EDI) in the promotion of a fair and equitable work environment for all persons while ensuring they meet their mandated security responsibilities.

Departments and agencies should conduct a risk management exercise to ensure, that while the dignity of all is respected, the protection of GC information, assets, and personnel is maintained. All questions on EDI policies and directives should first be addressed to your responsible departmental authority.

1.4. Information Technology considerations

With the constantly evolving threat landscape, and the convergence of physical and information technology (IT) security, the requirement to assess the risk of any application and/or software connected to a network to operate and support equipment in GC controlled buildings is critical. Some examples of these control systems could be for items such as, but not limited to, security lighting, perimeter gates, doors, Heating Ventilation and Air Conditioning (HVAC), etc.

Before implementing any applications and/or software that will control and/or automate certain building functions, your departmental security requires the completion of a Security Assessment and Authorization (SA&A). This will ensure that the integrity and availability of the components the applications and/or software controls are maintained and that any risks highlighted will be mitigated. Starting the SA&A process early is highly recommended to ensure project delivery schedules are not affected. For more information on the SA&A process, please consult your departmental Security.

5.1. Need-To-Know / Need-to-Access

A fundamental requirement of the Policy on Government Security (PGS) is to limit access to sensitive information and areas. The PGS further restricts access to those who have the need- to-know, or a need-to-access in order to perform their duties. While security screening levels permit access to certain information or areas, the application of the need-to-know and need- to-access principles restrict that access to those with a need to see specific information or to access specific areas. Personnel are not entitled to access merely because it is convenient nor because it is commensurate with their security clearance level, status, rank, or office. GC departments and agencies are responsible for reviewing access privileges and should revoke access when it is no longer required (i.e., if an employee no longer requires access to an area, accepts a position with another department or agency or when they retire).

An effective way of implementing and maintaining the need-to-know or need-to-access principle consists of segregating and controlling access to sensitive GC information and assets through the effective use of physical security zones. Given that individuals within an GC department or agency can pose a threat to the availability, confidentiality or integrity of GC information or assets (often referred to as insider risk); limiting access only to those with the appropriate need-to-know / need-to-access can reduce insider risk and help safeguard GC information and assets.

5.2. Zone selection

To determine the appropriate zone(s) for the processing, storage, or destruction of sensitive assets, it is first necessary to establish the minimum baseline security requirements. RCMP LSA guide GCPSG-010 - Operational Physical Security Guide designates physical security zones based upon the security categorization and the corresponding injury that would result from the unauthorized disclosure, destruction, removal, modification, interruption or misuse of the information or assets contained within. These categorizations and injury levels can also be found in the DSM Appendix J.

5.3. Baseline zone requirements

The following charts summarize the five fundamental zones and their baseline requirements. In addition to these zones, it has become necessary to expand zoning options to better reflect the current needs of the GC. These are called “Special Purpose Spaces” and are further referred to in appendices of this guide. Appendix A discusses the Scientific Research Collaborative Environment (SRCE) and Appendix B discusses zoning considerations for Detention Spaces.

The last three zones, OZ, SZ and HSZ are referred to as restricted-access areas (RAA) and instituting a hierarchy of zones allows departments and agencies to:

• Store assets of different threat levels in the same facility,
• Institute varied levels of controls of access to protect various levels in assets,
• Reduce cost by processing and destroying various levels of information and assets within the same facility, and
• With appropriate planning, change zones from one period of time to another (ie. an OZ during working hours might become a SZ during silent hours or an RZ might become an OZ during a similar period).

The appropriate number of zones within a facility is dependent on the number of tenants (single or multi-tenant) and the building owner / custodian (federal, provincial or municipal government or private sector). In a multi-tenant government building, the building security committee should determine the hierarchy of zones for the common areas. The tenant is responsible for determining appropriate zones within its space.

It is important to note that the forgoing definitions do not preclude the establishment of a temporary restricted zone either inside or outside a controlled area. These temporary areas could be established to house or process material categorized above the level normally stored in the zone provided the necessary physical security safeguards are in place, the increased risk is documented through a formal TRA, and the risk is accepted by the CSO (or their delegate). For example, a temporary SZ could be established around a seized vessel or truck under continuous guard. Another example could be a desk in an open office area that normally functions as an OZ but could serve as a SZ provided the person handling the material is in full control of it at all times and prevents unauthorized disclosure.

In considering physical security zone design and layout, the first two zones (PZ, RZ) should set the stage for access to the RAAs The baseline security requirement is that access be controlled in OZ and higher and since no two facilities are identical, the locations where OZs begin will also be different from one facility to another. The following examples (Figures 1 through 5) illustrate these considerations through some generic facility types.

Figure 1 - Public Zone

Figure 2 - Operations Zone

Figures 1 and 2 depict examples of a single-purpose government facility on government owned land. The PZ consists of the grounds around the building and although departments and agencies may wish to monitor this area, there is no requirement to control access. A RZ is located at the front entry.

Within this zone, there is a means for the public to make initial contact and exchange information. This may happen at a reception desk, where there will be personnel present to monitor entrance to the space. Entry beyond the RZ is restricted to those who have a need-to-access. There should be a recognizable perimeter such as a doorway or an arrangement of furniture which clearly demarcates the entrance to the RAA and access is controlled from this point on. Access is also to be controlled at every point at which the OZ allows access to a SZ.

Figure 3 - Building section

Figure 4 - Multistory building floor plan

Figures 3 and 4 depict an example of a multi-story building in which the government is a tenant on multiple floors. The PZ includes the main floor lobby as well as the elevator and corridors on each floor. There is an RZ located adjacent to the PZ on one side of the floor. The remaining office areas are OZ.

Access to the OZ from the RZ is to be controlled, in this example, it is possible to enter the OZ from either the RZ or the PZ (the corridor). Access to the OZs should gained through a RZ wherever possible.

Physical security zones should be implemented in a progressively restrictive manner, proceeding from the least restrictive (PZ) to the most restrictive (OZ, SZ or HSZ) zone required, so that sequential entry points must be passed through. An entry point is a design feature that channels traffic in such a way that effective control of access is possible at that point. Entry points between zones should be clearly identifiable. The boundary of the zone should not permit access other than at an entry point unless there are functional requirements such as a service counter which handles or processes client requests. It should be clear that entry into an OZ is for limited to authorized personnel and escorted visitors only. Typically, this is done with signage which directs individuals to, and in the RZ. The floor plan below (figure 5) illustrates some of these suggested criteria.

In addition to meeting the baseline requirements, departments and agencies may wish to establish additional measures to further limit access within a facility. The requirement for a SZ or HSZ within a facility will depend upon the categorization of material handled, as well as the specific threats to the department. Different means of controlling access may be appropriate depending on the zone accessed by the entry point. Anything from a staff member or security guard verifying access badges for entry to an OZ up to a sophisticated biometric access control system when entering an HSZ may be used. The selection of the access control measure can be determined based upon a TRA. In addition, there should be a corresponding level of personnel security screening and physical barriers to support the access control measures.

Figure 5 - Floor plan of a building with different physical security zones

6.1. Defence-in-Depth (Using all Physical Security Zones)

Security zones should not be skipped, by-passed or omitted as it takes all necessary zones to create “defence-in-depth”. This is the principle where security zones are implemented in a progressively restrictive manner, proceeding from the least restrictive zone to the most restrictive. There are instances however, where specific departmental business lines or facility functional requirements may make it inefficient to implement all physical security zones and there are also limited situations where it may be difficult or impractical to do so. In these limited cases, a single zone may be by-passed or left out of the zoning model provided that the security measures of that zone are compensated for in the subsequent zone. Any zoning deviations should be carefully and thoroughly documented in a TRA, and the risks associated with this deviation accepted by the security authority, either the CSO or their delegate.

Figure 6 - Security zones

6.2. Information and asset storage in physical security zones

GCPSG-007 - Transport, Transmittal and Storage of Classified and Protected Material outlines the minimum storage requirements of sensitive material by physical security zone and security categorization. In limited circumstances, and as a part of a departmental risk management solution, storing small amounts of higher categorized material within lower physical security zones may be considered. Before information can be stored in this capacity, a TRA should be done to analyze any residual risk and the implementation of additional security control measures should be considered to ensure the protection of the material. The CSO or delegate should then sign off as accepting the residual risk. Departments and agencies can contact the RCMP LSA with specific questions pertaining to these deviations and solicit advice and guidance on next steps.

6.3. Changing physical security zone designations

It is possible that the physical security zone designation could change over the course of a business day (ie. The RZ zone is locked up and not accessed by personnel or clients during hours the office is closed or during limited access hours ie. lunch time). Re-designating zones during these periods will depend on the business conducted within them during regular hours, the type of security measures used outside of regular hours and when the area is closed, and who has access. Careful consideration should be given to any additional physical security measures that may be required in this circumstance. Implementing such a solution may require the completion of a TRA and be approved by the CSO or delegate after careful consideration and acceptance of any residual risk involved.

7.1. Scientific Research Collaboration Environment (SRCE)

A Scientific Research Collaboration Environment SRCE is an optional SPS that enables members of the scientific community from outside the GC (ie. foreign nationals, universities researchers or scientists, and private industry) to work collaboratively with the GC to conduct scientific research and testing in a controlled secure environment separate from other GC information or assets.

An SRCE may only be implemented by GC departments and agencies specifically designated as a Science-Based Department or Agencies (SBDA). SRCEs should not be confused with, or used in place of, GC co-working spaces and should never be used as a means to by-pass the security clearance process. SBDAs requiring the use of an SRCE should always conduct a complete and thorough credential verification of any non-GC security cleared researcher designated to work in these spaces. For more detailed information refer to Appendix A.

7.2. Detention Space

A Detention space is an SPS that is used to detain persons as a part of an investigatory or law enforcement process. GC departments and agencies which have law enforcement activities as a part of their responsibilities (ie. RCMP, Canada Border Services Agency (CBSA), Department of Fisheries and Oceans (DFO), etc.) may have a need for this type of SPS. For more detailed information refer to Appendix B.

7.3. Computer Server Rooms

Contrary to SRCEs and detention spaces, virtually all GC department and agencies have a need for one or more computer server rooms to house GC Information Technology (IT) that supports all GC processes. The design and management of these IT systems is guided by the Communications Security Establishment of Canada. For more information on the location and physical protection of computer server rooms, refer to Appendix C.

1. Purpose

The intent of this Appendix is to provide physical security guidance, in addition to the information contained in this guide, related to the design and development of a Scientific Research Collaboration Environment (SRCE). For the purpose of this guideline, scientific research is defined as a systematic investigation or study of scientific theories and/or hypothesis. It is quantitative in nature and is strongly based on the collection of data. Scientific research is often used in the fields of Biology, Physics and Chemistry.

Note(s): Physical security zoning that simply adheres to the prescribed technical requirements or by integrating zones based solely on functional space requirements may not be sufficient or effective. Security measures that are excessive or do not address functional requirements will be circumvented and become ineffective. Refer to section 5.3 in this guide for more info.

It is also important to note that as research within a GC facility evolves, changes to the sensitivity of information and assets may occur. These changes in sensitivity might require that security provisions of the SRCE be adapted or modified to mitigate the changing security risks. These considerations should be factored into the initial TRA for the design of the space, and within the parameters of the scientific research project being conducted at the facility. These considerations should be carefully risk managed on a continuous basis by the CSO or their delegate.

6. Physical security zone selection

To determine the appropriate physical security zone(s) for the SRCE, it is first necessary to determine the categorization of the work being conducted. Then it is necessary to establish the minimum baseline security requirements to safeguard that work. The RCMP guide GCPSG-010 - Operational Physical Security Guide designates physical security zones based on the categorization of the information and assets and the corresponding injury that would result from its unauthorized disclosure, destruction, removal, modification, interruption or misuse. These zones are defined in the chart below and in section 5.2 based on their injury levels along with specific examples to highlight zone demarcation for an SRCE.

7. Design examples

7.1. Completely Separated Research Environment

A newly constructed SRCE (Figure 1), whether a stand-alone facility or built within an existing facility that does not provide access to any other operational zones in a GC facility is the ideal situation for an SRCE. The environment is self-contained and can only be accessed via a RZ. Proper access control mechanisms are in place and access to the area is routinely monitored.

Figure 1 - Completely separated

7.2. Partially Integrated Research Environment

A retrofit to existing GC facility where access to the SRCE is accessed via an OZ (Figure 2) may be required although is not the ideal solution. If this is the only means of creating an SRCE, proper access control mechanisms should be in place to prevent unauthorized access to other physical security zones. In this area, access is routinely monitored. Control of access is required at all entry points into all zones. Installation of signage can make it clear to any visitors that entry into an OZ is for authorized employees only. Signage can also direct the individual to the location of the RZ. Ingress into the space should be confined to primary entry points; all emergency exits should be egress only.

Figure 2 - Partially integrated

7.3. Fully Integrated Research Environment

If the SRCE is located fully within a zone of a GC facility especially a SZ or HSZ (Figure 3), unauthorized access is much more difficult to manage. This type of set up should be used as a last resort and only if no other options exist. SBDAs should create detailed SOPs which should include provisions for constant monitoring and escorting to and from the SRCE and any other security control measures deemed appropriate through the TRA process. In this case, ingress and egress for the space should be restricted to single point with all other exits being used for emergency egress only.

Figure 3 - Fully integrated

Appendix B - Detention space

1. Purpose

The intent of this appendix is to provide physical security guidance related to the physical protection of computer servers and server rooms. The guidance noted in this appendix does not supersede the previous information contained in the main guide on physical security zones; the information in this appendix and the main guide are to be used in tandem.

2. Safeguards

GC computer servers must be located in a separate room with access control measures such as a mechanical lock or electronic card reader. Access to this room should be limited to only appropriately security screened individuals who require access for operational needs. The room should be built with walls that extend from the floor slab to the underside of the floor/roof slab above. Rooms with walls that extend to the underside of a suspended ceiling would not meet the requirements of a server room. Appropriate key management and storage is needed for all physical keys or electronic access cards.

Reviewed and recommended for approval.

I have reviewed and hereby recommend, GCPSG-015 (2024) - Guide to the Application of Physical Security Zones, for approval.

Lucus Whalen
Manager (Acting), RCMP Lead Security Agency

Date: 2024-09-23

Approved

I hereby approve GCPSG-015 (2024) - Guide to the Application of Physical Security Zones.

Andre St-Pierre
Director, RCMP Physical Security

Date: 2024-10-07