GCPSG-018 (2024): Guide to the Risk Management Process for Physical Security

Purpose

The purpose of this guide is to assist GC employees with physical security risk management responsibilities in the development of their own processes related to physical security risk management, risk decision making delegation, and the documenting and monitoring of residual risks. The Policy on Government Security (PGS) requires physical security measures to be implemented, monitored, and maintained. These processes must be formally documented throughout all stages of a measure's life cycle. This document connects existing tools and their uses together to outline effective and clear ways for departments to meet their security requirements outlined in the PGS and the Directive on Security Management (DSM).

The guide contains both required security control safeguards (indicated by use of the word "must") as directed by GC policies and directives, and recommended security control safeguards (indicated by the use of the word "should").

Applicability

This guide applies to all employees in the GC with physical security risk management decision making authority. The intended audience of this guide is department heads, Chief Security Officers (CSO), managers, and physical security practitioners that have been delegated physical security risk management authority or are responsible for identifying physical security risks to senior managers who have that delegated authority. This document can be applied to risk assessment and acceptance processes related to physical security, and can be used to create or update departmental policy, directives and programs related to physical security risk management.

Equity, Diversity, and Inclusion in Physical Security Systems

All employees of the Government of Canada (GC) have a responsibility to safeguard persons, information and assets of the GC. It is important that security policies and practices do not serve as barriers to inclusivity, but instead support and respect all GC personnel while ensuring appropriate security measures are maintained for the protection of GC personnel, assets, and information.

Initiatives to promote equality and inclusion among the diverse communities and heritages within the GC, should be respected in the development and maintenance of physical security systems. Departments and agencies should follow all GC legislation, policy and directives on Equity, Diversity, and Inclusion (EDI) in the promotion of a fair and equitable work environment for all persons while ensuring they meet their mandated security responsibilities.

Departments and agencies should conduct a risk management exercise to ensure, that while the dignity of all is respected, the protection of GC information, assets, and personnel is maintained. All questions on EDI policies and directives should first be addressed to your responsible departmental authority.

Information Technology Considerations

With the constantly evolving threat landscape, and the convergence of physical and information technology (IT) security, the requirement to assess the risk of any application and/or software connected to a network to operate and support equipment in Government of Canada controlled buildings is critical. Some examples of these control systems could be for items such as, but not limited to, security lighting, perimeter gates, doors, HVAC, etc.

Before implementing any applications and/or software that will control and/or automate certain building functions, your departmental security requires the completion of a Security Assessment and Authorization (SA&A). This will ensure that the integrity and availability of the components the applications and/or software controls are maintained and that any risks highlighted will be mitigated. Starting the SA&A process early is highly recommended to ensure project delivery schedules are not affected. For more information on the SA&A process, please consult your Departmental Security.

Preparation

The Preparation Phase will identify the scope of the assessment, and the acceptable level of residual risk. The scope of the assessment should be determined by an employee with physical security risk management authority to determine what assets will be evaluated in the TRA. The physical security risk management authority should also assign the assessment to a qualified team of security practitioners. In this phase the TRA team leader should be provided enough information to create a workplan outlining the key deliverables at each stage as well as the required resources to complete a TRA. Once a workplan has been completed it should be reviewed to ensure it remains within budget, maintains the required timelines, and the requested staff can be assigned to the project. If the TRA workplan is acceptable management should document their approval and have the team commence the assessment.

Asset Identification and Valuation

The Asset Identification and Valuation Phase will identify all assets within the scope of the TRA (Classified assets, firearms, assets for a specific project). Time and resources should not be expended on assets that are not part of the TRA, unless there are interdependencies tied to relevant assets. All assets that are within the parameters designated in the Preparation Phase should be clearly listed and assigned a value. There are several categories each asset may have rated from very low to very high; the highest scoring category should be identified in the listing. The categories are as follows:

The deliverable for this phase is an Asset Valuation table/Statement of Sensitivity.

Threat Assessment

The Threat Assessment Phase will identify and list all real and potential threats the asset may realistically face within the scope of the TRA (hostile intelligence agency, organised crime, accidents, natural disaster). The threats must be listed and assigned a Threat Level from very low to very high. This value is determined by the likelihood of an occurrence and the gravity of the threat. When determining the gravity of the threat calculations should be made for the following categories:

Once the Threat Levels have been calculated, by the methodology employed, they are to be used to create this phase's deliverable: A Prioritised Threat List.

Vulnerability Assessment

The Vulnerability Assessment Phase will have the TRA team evaluate the existing safeguards, or lack thereof, and determine how vulnerable the asset is against the identified threat, based upon predetermined parameters defined for all team members conducting the assessment. The TRA team will measure a safeguards probability of compromise and severity of outcome from low to high. The lack of a safeguard is an automatic high rating. These two values are then used to calculate the vulnerability level from very low to very high. Once all the vulnerabilities within the scope of the TRA have been assessed, they can be compiled into a Prioritised Vulnerability List for this phase's deliverable.

Calculation of Residual Risks

The outputs from the previous three phases can then be used to calculate residual risk. There may be more than one Residual Risk Score for each asset as some are subject to multiple threats and vulnerabilities. These will all be calculated individually and assigned their own residual risk score. Residual Risk is a numerical calculation that will give a score from very low to very high. This score corresponds with the acceptable risk level identified in phase one of the TRA. The output will be identical regardless of the method used. This phase's deliverable is complete when the team compiles the residual risks cores into a Prioritised List of Residual Risks.

Recommendations

The Recommendation Phase contains the TRA team's comparison of the risks calculated against the acceptable risk level identified in the Preparation Phase. For residual risks that are at or below the target level the team will either recommend the status quo be maintained, or safeguards adjusted to match the risk tolerance. In the event they recommend the safeguard be reduced or removed they must recalculate the residual risk for the proposal for the designated authority. For all cases where residual risk exceeds the acceptable level, the TRA team will propose alternative measures to reduce the residual risk to the acceptable level. The designated authority can then review all proposed safeguards and their resources costs and determine if they will implement one or more, or refuse and formally accept the above baseline residual risk.

Conclusion

The final Conclusion Phase is where the TRA team will summarise all of the data contained in the report, similar to an executive summary. There should be sufficient information provided for CSOs, or their delegates, to understand the entirety of the report and be enabled to locate additional information for any follow-up calculations. Also included will be management's decisions to accept or decline recommended safeguards, to maintain, increase, or decrease existing safeguards, and a formal signature acknowledging these decisions and the authenticity of the report. Only after the CSO or their delegate signs the TRA report will this process be complete. For more information on TRA in a Government of Canada context, consult GCPSG-022 Threat Risk Assessment Guide.

Developing Standards and Procedures

Department and agency security standards must support the adoption of integrated processes, ensuring there is oversight and documentation clearly outlining the expectations of senior management; as well as standardizing the manner in which data is collected, analysed and maintained. There are several considerations that should be included in a standard; although the final version will vary greatly from case to case. It is advised these standards clearly identify which positions are responsible for what processes and how the data will be recorded and complied. For example, office staff may be required to report the condition of cable locks securing laptops when signing the equipment in and out. The unit manager may then review the logs and audit the inventory quarterly; compiling a report on the effectiveness and condition of safeguards (Example: No unaccounted inventory, minor wear and tear on three locks needing attention, safeguard deemed effective with no change advised).

It is advised the final reports of all safeguard monitoring eventually reach a single point, such as the CSO or delegated team member. Integration of this method would be most effective if it follows a pre-established chain of possession, such as the internal escalation / delegation model. The more consistency there is between processes, the easier it will be for staff to navigate them all. This would increase the efficiency of the countermeasures employed, while promoting a recognised process and positive physical security risk culture.

Standardizing the Delegation of Responsibilities

A standardized delegation strategy is prescribed by the PGS and supports critical data reaching senior management to inform their physical security risk management decisions. Departments and agencies are permitted to develop a delegation process for all security risk management roles that suit their unique operating environment within the GC. Developing a corporate risk profile will provide a strategic overview of the assets and functions that require protection and identify which physical security risk management responsibilities may be candidates for delegation.

Ideally, the delegation of physical security risk management oversight should be prioritized to individuals already involved in overseeing the security governance of the department, agency, or facility; with a preference afforded to personnel that have a background or previous training in physical security. A baseline level of training should be provided to all staff who have been delegated to handle any risk management responsibilities to ensure they can properly execute the required functions. Considerations should also be given to the pre-existing organizational structure and, if possible, delegated duties should utilize the same configuration. This integrates the physical security risk management delegation process into the structure of the department or agency and ensures personnel are aware of the appropriate communication channels for the approval of different queries and tasks.

Standardizing Escalation of Security Reporting/Incidents

The timely communication of security incidents to responsible decisions makers, or to escalate, is the responsibility of all GC employees. Failure to properly escalate a situation may have catastrophic implications to a department or agency's business goals and harm their image in the eyes of stakeholders. Every department and agency must have processes for the escalation and documentation of security breaches and incidents as per DSM Appendix G where a formal Threat and Risk Assessment may not be warranted. When standardizing an escalation process it should follow the same channels as the delegation process, up to the level that has the authority to action a response to the incident. The individual for whom the escalation process will end shall largely depend on the severity of the incident and the amount of autonomy granted to each level by leadership. A risk taxonomy can provide a list of the most likely or damaging threats each protected asset may face. These risks can then be tied to a position on the delegation flowchart that has the authority to action a response. Incidents that could have varying levels of severity should clearly define thresholds of when escalation must exceed the standard level identified by the department or agency matrix.

Escalation Flowchart Example

Guide to Integrated Risk Management

The Guide to Integrated Risk Management is intended to assist departments and agencies with strengthening their overall integrated risk management practices. The Guide to Integrated Risk Management does not provide specific physical security risk management practices; as these will be specific to each organization dependent upon their unique mandate, risk exposure, risk management capacity and other factors. It does support a wholistic approach to the management of all risk, including physical security risk, for departments and agencies.

Guide to Corporate Risk Profiles

A Guide to Corporate Risk Profiles enables departments and agencies to obtain an overview of its key risks including an understanding of the operational context and objectives with respect to managing risk. A corporate risk profile is an output from the risk assessment process that enhances senior management's ability to analyze, prioritize, and budget their risk management strategy. These can also be used to provide a clear snapshot of the department or agencies' key risks and mitigation efforts to staff, practitioners, and stakeholders. A corporate risk profile supports strategic priority setting, allows for informed decision making, and demonstrates a department's or agency's risk tolerance level.

Guide to Risk Taxonomies

A Guide to Risk Taxonomy is a comprehensive, common, and stable set of risk categories that are used within departments and agencies. This document includes considerations for developing and using a risk taxonomy. It outlines an approach to categorizing and aggregating risks that may be tailored to the specific needs of a department or agency. Risk taxonomies support standardizing systems and help foster a risk aware culture. Risk taxonomies and their complimentary tasks are important to developing a "risk aware" culture by allowing for standard terminology and understanding by employees.

Guide to Risk Statements

The Guide to Risk Statements is meant to help strengthen risk management practices by elaborating on how to develop risk statements. Risk statements are an essential component in articulating identified threats and opportunities, which are fundamental in supporting the risk management process. A standardized presentation of risk statements improves integration of security processes throughout a department or agency."

Risk Management Capability Model

The Risk Management Capability Model is a diagnostic tool that allows departments and agencies to benchmark their current risk management capability. This tool may be used to initiate an informed discussion on whether resources need to be allocated or diverted to fill risk management gaps or to improve capability in key areas of the department or agency's risk management priorities.

RCMP Lead Security Agency Publications

The RCMP LSA, as mandated by TBS, publishes and manages a catalogue of guidance documents covering specific areas of physical security. These documents leverage the professional input of subject matter experts in many fields and are peer-reviewed by the GC Physical Security community to incorporate lessons learned and best practices from across the entire GC. It is worthwhile to review these publications to determine if there are any impacts to a department or agency's physical security risk, especially when considering modifying existing, or developing new, facilities.

Importance of Continued Monitoring

In addition to the mandated monitoring of physical security risk mitigation strategies and physical security safeguards, a standardized system of continued monitoring ensures staff understand their role in mitigating physical security risk to the organization. Clear and concise documentation outlining the monitoring strategy, as well as data on the outcomes and periodic reviews, provides valuable information in a post-compromise investigation. The more forthright the collected data, the easier it will be to identify the breakdown in the system that allowed a vulnerability to be exploited.

Continued monitoring facilitates harm reduction and the ability to proactively identify opportunities to increase the physical safety and security of staff and assets. When this review includes examining new best practices from industry partners and other government departments and agencies, new mitigation strategies can be adopted in to existing safeguards. This may result in increased physical security measures, improved operational efficiency, potential cost savings, and improved recovery.

Periodic Assessment

Assessment standards should be set with clear deadlines for the data to be fully compiled, when the review and analysis of the data will occur, and then when the results will be made available. An annual review of a department or agency's Departmental Security Plan or physical security annual workplan should be conducted; however, departments and agencies would benefit from setting their own targets that:

• Allow for the mandatory data to be ready in advance; and
• Review and examine their own policies and procedures to proactively evaluate their initiatives and ensure compliance.

While some timelines are non-negotiable, many that allow flexibility can be linked to operational timelines to encourage operational efficiency and synergy with pre-established milestones. When physical security is integrated into operational requirements it enables an efficient evaluation of a department or agency's entire risk management posture.

Developing Physical Security Performance Measures

Physical security performance should be measured as part of the periodic assessment to ensure these remain efficient and are still achieving the intended goal. Performance measures will vary between safeguards and will need to be customised based upon assessments by physical security practitioners. When deciding on how to measure the effectiveness of a safeguard, there are several key considerations that should influence the decision:

• What is the safeguard's intended purpose
• How does the safeguard fit into operational functions
• Does the safeguard track data or produce a record
• Is the safeguard overbearing and at risk of circumvention by staff

Additional indicators to monitor may include dramatic changes in observed data possibly indicating the following:

• Underreporting of incidents
• New exploitation techniques employed against vulnerabilities
• Non-compliance with current procedures

While not always negative, a lack of minor incidents may indicate the safeguard is inefficient; however, this alone should not be considered as proof but may indicate that an investigation to confirm the data is warranted.