GCPSG-005 (2023)
Security Inspections Guide

Applicability

This guide applies to GC facilities, especially to areas where protected and classified material is stored and processed. The intended audience of this guide includes:

• Directors, managers, and supervisors who are responsible for physical security zones where sensitive information is processed;
• GC authorized individuals who work or who have access to a physical security zone where sensitive information is processed; and
• GC authorized individuals who have been appointed to take on the duties of the security inspector.

Information Technology considerations

With the constantly evolving threat landscape, and the convergence of physical and information technology (IT) security, the requirement to assess the risk of any application and/or software connected to a network to operate and support equipment in Government of Canada controlled buildings is critical. Some examples of these control systems could be for items such as, but not limited to, security lighting, perimeter gates, doors, HVAC, etc.

Before implementing any applications and/or software that will control and/or automate certain building functions, your departmental security requires the completion of a Security Assessment and Authorization (SA&A). This will ensure that the integrity and availability of the components the applications and/or software controls are maintained and that any risks highlighted will be mitigated. Starting the SA&A process early is highly recommended to ensure project delivery schedules are not affected. For more information on the SA&A process, please consult your departmental Security.

Chief Security Officer (CSO)

As per section 4.1.7. of the DSM, the CSO is responsible for:

Ensuring that any significant issues regarding policy compliance, suspected criminal activity, national security concerns or other security issues are assessed, investigated, documented, acted on and reported to the deputy head [of their department or agency] and, as required, to the appropriate law enforcement authority and/or security and intelligence agency (Refer to Appendix I: Standard on Security Event Reporting), and to affected stakeholders, and as required, cooperating in any resulting criminal or other investigation(s).

The CSO should support the security inspection process by providing security related leadership and guidance to all authorized individuals in order to properly define, document and implement security inspection protocols for all GC facilities. The CSO should also ensure the completion of a Threat and Risk Assessment (TRA) of the organization's facilities, at a minimum of every five years, or if there have been changes in the security environment or threat landscape.

Building/Unit Security Coordinator

The Building or Unit Security Coordinator is responsible for ensuring that security inspections at GC facilities are conducted in accordance with the standards developed by their security units/sections. They may be responsible for forming teams of security inspectors to perform security inspections within their facilities, providing training to the inspection team members and ensuring that security incidents at GC facilities are reported in accordance with the organization's security policies and standards. When there is a change in the security environment, security coordinators may support departmental security units/sections in increasing the frequency of security inspections as well as administering other security measures to increase security readiness levels. The security coordinator can assist in the security inspection process by providing employees with advice and guidance on safeguarding protected or classified material.

Security Unit/Section

A GC departmental or agency security unit/section is responsible for the development and implementation of security inspection standards, and providing advice and guidance to security coordinators, the CSO and other stakeholders on security inspection matters (ie. policy requirements, security inspection strategy development, security incident reporting, etc.). As part of the administration of an organization's security program, Security Units/Sections should also develop tools and awareness training materials, provide advice related to the application and interpretation of security inspections, and address issues of non-compliance related to the application of departmental security standards.

Security Units/Sections should ensure that security inspections are carried out by an authorized security inspection team in accordance with this guide. They may advise security coordinators how to develop a security inspection team of their own, or create one within the Security Unit/Section to provide the service. The frequency of additional security inspections for their respective area should be based on the findings of the security inspection and recommendations derived from a TRA.

Security Inspectors and Security Inspection Teams

An authorized security inspector is a person delegated by an organization's departmental or building security section/unit to conduct a security inspection. A security inspector must possess a personnel security clearance or status that is commensurate with the highest category of information and assets being stored and processed within the area being inspected. An organization's departmental or building security team can nominate various security inspectors to form a security inspection team.

When forming a security inspection team, GC departments and agencies should ensure that inspection teams are composed of individuals who have a solid background and knowledge of the security inspection process and that all inspectors are provided with baseline training and awareness sessions on conducting security inspections. GC departments and agencies should also consider the experience level of the inspectors and make every effort to comprise the team of a junior and senior member. This may encourage knowledge sharing and ensure best practices when conducting security inspections.

Directors

For the purpose of this guide, directors are responsible for ensuring all individuals within their area of responsibility have access only to the information and assets required for their position based on the need-to-know and need-to-access principle. Directors should also help ensure that all individuals are informed of the security inspection standard and that security inspections will be performed. Directors are responsible for ensuring that employees understand their obligation to safeguard information and assets.

Directors should work collaboratively with department or agency security personnel to ensure that any instances of non-compliance related to safeguarding sensitive information and assets are addressed and documented. Directors should ensure that individuals are provided the required security equipment to carry out their duties to ensure the security of sensitive information and assets (ie. abiding by a clean desk policy, and securing sensitive documents and IT peripherals at the end of each work day). They should also ensure that up to date physical security and security inspection training/awareness material is available.

Managers and Supervisors

As per section 4.4.2 of the DSM, supervisors are responsible for:

Ensuring that individuals are informed of their security responsibilities and that employees are provided with security awareness and training to maintain the required knowledge and skills to meet their responsibilities.

Managers and supervisors are responsible for working with departmental security teams/units to implement the findings and recommendations of security inspections as well as addressing issues or instances of non-compliance (ie. security violations) with individuals who have not adhered to the security measures.

Employees

As per section 4.5.1 of the DSM, employees are responsible for:

Adhering to government security policy and departmental security practices, including safeguarding information and assets under their control, whether working on-site or off-site.

Employees at all levels must assume responsibility and follow their department or agency's security policies and procedures for safeguarding sensitive information and assets in both physical and electronic form. It is important for employees to immediately report any security related incidents to their managers. An individual must immediately report the loss (whether accidental or suspicious) of protected or classified material to their manager or security office to help reduce the impact of a possible compromise.

Legal and privacy considerations

When security inspections are conducted, it is important to note that the parameters of the inspection should follow GC collective agreements and staffing legislation. During the security inspection of an employee's assigned office or workstation, each employee's rights to privacy must be respected, and steps must be taken to respect applicable legislation and acts. These include, but are not limited to the Privacy Act, the Canadian Charter of Rights and Freedoms, and the Canadian Human Rights Act.

Although workspaces and furniture provided to employees belongs to the GC, during security inspections, the expectation of employee privacy remains in place. Employees may have personal belongings in their workspaces, and the Security Inspection Team should not search or open personal belongings or read or remove personal information found during the inspection. If during the course of the security inspection illegal items are found, the matter will be referred to the departmental security unit or police for investigation. Individuals may be subject to other forms of legitimate search and seizure under applicable criminal and civil laws as a result of a lawful security inspection.

Retention periods for inspection records should be determined and managed by the respective GC department or agency. Library and Archives Canada facilitates may assist departments and agencies with advice concerning specific retention periods.

Planning security inspections

When planning security inspections, security inspection teams should assess the risk environment of the areas being inspected. A TRA may need to be completed to help determine security inspection frequency at a facility. The SCOE Tool Kit also can be used for determining frequency of inspections. Security inspections should be conducted preferably outside of core working hours or while individuals or groups are away from the workplace. The Director and the security coordinator should be informed of the planned inspection in advance of the inspection date to ensure it is administratively feasible to conduct an inspection on the specified dates. In order to protect the integrity of the security inspection process, individuals working in the area should not be advised of the impending security inspection.

When forming teams for security inspections, departments and agencies should carefully consider the knowledge and experience level of the inspectors, how many inspectors are required based on the size and number of spaces to be inspected, and the categorization of material stored within the space. In order to maximize safety and ensure the integrity of the inspection process, security inspection teams should consist of at least two security inspectors.

Prior to conducting a security inspection, security inspectors should confirm that they have physical access and the appropriate security clearance for all physical security zones to be inspected. When planning for inspection day, individual inspectors or inspection teams should ensure that they have the equipment needed to facilitate a proper inspection, including a notebook and pen or text recording device to document observations made during the inspection process, a device to take photographs (if appropriate to the physical security zone or operational situation) to visually document any findings, and an approved security container and lockable carrying case to secure material if any is found.

Please note that security inspectors and inspection teams must take care to not photograph protected and classified materials, locations, security controls or installed security devices and respect access restrictions for electronic devices in sensitive areas.

The Security Center of Excellence has produced a Security Inspection Risk Assessment Tool, available on GCcollab to assist security functional specialists to objectively and consistently determine the frequency of security inspections within a facility.

Conducting security inspections

Inspectors should follow specified guidelines for conducting security inspections and produce reports on the outcome of the inspection. This information is more fully defined in Annex B Section 2 and includes the following:

• A comprehensive visual inspection of employee workspaces. This should include offices and cubicles, desk surfaces, unlocked or open drawers or cabinets, mailboxes, waste and recycle bins as well as printer, scanner and shredder trays;
• Verification that electronic devices are properly secured (if applicable); and
• Validation that security containers or cabinets containing protected and classified material are properly secured.

When conducting an inspection, security inspectors should take their time and carefully search through all areas within the inspection zone. Employees may have personal belongings in their workspaces, and the Security Inspection Team must not search or open personal belongings, read or remove personal information or items found. If any personal items are found by security inspectors, it can be recorded in notes that these items were left untouched.

During the security inspection, the security inspector should ensure that unsecured items are secured in accordance with departmental policy and GCPSG-007 Transport, Transmittal and Storage of Classified and Protected Material Guide and locked in an approved security container or locked office. If unsecure protected or classified material is found during the security inspection, the security inspection team has the authority to remove the material in order to ensure it is properly secured.

If any material has been removed for safekeeping, the security team must store the item in the approved security container and physical security zone required for the categorization of material seized. The material should be accessible by the department or agency's security unit so that it may be returned to the owner as soon as possible. Any items that are removed from an office or workstation must be marked with the name of the employee, the office or workstation number. If secure storage of the material is not possible and the owner is unknown or unavailable, the security inspector should secure the material to the best extent possible, advise senior management and arrange for the immediate handover to a person from the section responsible with the appropriate security clearance and need-to-know.

Potential escalation of security infractions post-investigation

Please note that departmental security teams should never unilaterally or independently consult with internal or external stakeholders on serious security infractions without first discussing or reporting the event to their respective CSO.

The findings of all security inspections should be compiled into a security inspection report which should be sent to the organization's security group. The report should contain a summary of workspaces inspected, the findings, and a summary of any security infractions identified. The report can also contain recommendations for senior management to review and determine what supplementary measures should be taken. A sample outline of a security inspection report can be found in Annex B.

Security infraction severity level

Level 1

First notice of security infraction involving Protected A or B information and assets.

Corrective administrative security measures:

• A notification is sent to the individual and their direct supervisor.

Level 2

Second notice of security infraction involving Protected A or B information and assets. or First notice of security infraction involving Confidential/Secret information and assets.

Corrective administrative security measures:

• A notification is sent to the individual, to their direct supervisor and to the next level of management.
• The individual may be required to take or review a security awareness training (e.g., COR310 at the Canada School of Public Service or any other internal security training made available to them).

Level 3

Third notice of security infraction involving Protected A and B information and assets. or second notice of security infraction involving Confidential/Secret information and assets.

Corrective administrative security measures:

• A notification is sent to the individual, to their direct supervisor and to the next level of management.
• The individual may be required to attend a mandatory security briefing from the Departmental Security Unit/Section.
• The individual may be required to attend a security interview with the Departmental Security Unit/Section to determine if a review of their security clearance and/or status is required. Based on the outcome of the interview, the case may be elevated to an Infraction Severity Level 4.

Level 4

Over three notices of security infraction involving Protected A and B information and assets. or
over two notices of security infraction involving Confidential/Secret information and assets. or
any notice of security infraction involving Protected C or Top-Secret information and assets

Corrective administrative security measures:

• A notification is sent to the individual, to their direct supervisor and to the next level of management.
• The security screening review process may be initiated.
• The individual may be required to attend a mandatory interview with the Departmental Security Unit/Section.

Notes:

1. A notice of security infraction may pertain to electronic documents or systems.
2. Any notice of security infraction considered criminal in nature may result in legal prosecution under the applicable laws subject to review and investigation by an organization's security unit.
3. Notice of security infraction severity are measured through levels 2 to 4 and may result in disciplinary actions. It is important to note that this is not part of the inspection process and corrective action should be determined by the GC department or agency. Decisions are made at the discretion of the CSO or Departmental Manager.
4. Should the individual's security clearance and/or status be revoked following a review process by their organization, the individual may no longer meet the conditions of employment. Human Resources or Labour Relations may need to be consulted.

Appendix A - Notice of security inspection

Appendix B - Security inspection report/checklist

Security inspections are required to ensure protected and classified information and assets are safeguarded in accordance with the DSM. This example report should be left at the workstation or office by Security Inspection Teams after carrying out a security inspection. The Security Inspection Risk Assessment Tool is available on GCcollab to assist security functional specialists to objectively and consistently determine the frequency of security inspections within a facility.

Reminder:

• A Security Inspection Notice (Appendix A) is to be left in plain view in every workstation that is inspected to inform the occupant that a Security Inspection took place and whether the office/workstation is properly secure.
• A Security incident report/checklist (following) should be completed when documenting all security violations.
• An Outcome of inspection(s) report should be submitted to the Program and Service Delivery Manager (Appendix C).

Appendix C - Security compliance rate

The compliance rate is determined by the organization's total infraction percentage and is calculated by the of the total number of security infractions and is divided by the number of employees, multiplied by 100%. The organization's risk framework should be used to assist in determining acceptable level of non-compliance.

Calculated as: 100% - (number of infractions/number of employees x 100)

Below is a summary of the security inspection that was conducted within your area of responsibility: