Physical Security Inspections Directive

1. Effective Date

This directive is effective as of July 1, 2016.

The directive will be reviewed every two years by the Chief Security Office (CSO), Integrity Services Branch – Internal Integrity and Security Directorate (IISD).

2. Application

This directive applies to:

  1. all individuals (including employees, casuals, contractors and visitors) who occupy space in Employment and Social Development Canada (ESDC) Portfolio physical locations; and
  2. the inspection of proper safeguarding of protected/classified information (paper and electronic) and assets, in ensuring that the security requirements of the physical locations are met.

3. Context

The nature of the Department’s mandate dictates the way clients’ sensitive and private information should be collected and used. Canadians entrust ESDC with the management of this information which requires robust privacy and security controls and processes.

ESDC is responsible for ensuring the security of staff and the Canadian public in all of its physical locations, including those where ESDC shares common space with other organizations.

Risk-based physical security inspections are required to ensure that Protected and Classified information, electronic devices and other departmental assets are properly safeguarded when employees are absent, or away from their workstations.

Inspections are used to assess the risk associated with the physical environment and may include the assessment of a person’s office practices and verification of access controls in all zones.

4. Acronyms/Definitions

Acronyms
Definitions
CSO
Chief Security Officer
ISB
Integrity Services Branch
IIS
Internal Integrity and Security
Location Lead
Must be an employee of the Department who occupies a position of authority regarding the location (e.g. Director General, Director, Manager, Team Leader, Site Lead)
Physical Inspection
Physical security inspections consist of a visual / physical security inspection of the work areas and zones (public, non-public, secure, individual office, etc.). The inspection helps with the identification of risks such as unlocked security storage containers, offices or other secure spaces.
RSO
Regional Security Office
Staff
Employees (indeterminate and term), students, casuals
Other Individuals
Contractors and/or consultants
Visitors
Individuals that do not have access to the department such as: partners, family members, public and employees from other Government Departments

5. Legal Consideration Directive Statement

During the physical security inspection of an assigned office or workstation, each person's reasonable expectation of privacy must be respected and care must be taken to respect the Privacy Act, the Canadian Charter of Rights and Freedoms and the Canadian Human Rights Act.

6. Objective and Expected Results

6.1 Objective

The objective of this directive is to set out security requirements to be adhered to by all individuals who occupy ESDC space.

6.2 Expected Results

The expected results of this directive are to:

  • confirm that Protected or Classified information is properly safeguarded at all times independent of its format or purpose;
  • confirm/verify that electronic assets such as desktops, laptops, hard drives, printers, blackberry’s, etc. are safeguarded from access, theft or harm; and
  • contribute to the creation of a safe environment to deliver ESDC services across all locations.

7. Requirements

  1. Physical security inspections are to be conducted at least once each fiscal year (when possible in pairs) by the RSO, Location Lead or Manager.
  2. Physical security inspections may be conducted both during and after core working hours and can include times when employees or groups of employees are away from their office on leave, attending a course, in a meeting, a conference or a special event.
  3. Physical security inspections consist of a visual inspection and a physical inspection of every zone (public, operations, secure, etc.) within an ESDC location, and assess the following:
    1. drawers, cabinets, safes and padlocks are locked and for designated offices with a door, verification that the door is locked;
    2. lock and door keys are removed and not visible or accessible;
    3. zones are protected by appropriate and functioning access control mechanisms (e.g. proximity readers), in consultation with the RSO;
    4. electronic assets which store information, such as but not limited to, desktops, laptops, mobile phones, USB keys and portable hard drives are secured physically;
    5. passwords or password-like markings or postings are not posted, visible or accessible;
    6. Protected and/or Classified information is not exposed on desks, tables, counters, printers, photocopiers, or in recycling bins, etc. as specified in the “Clean Desk Guidelines”;
    7. Protected and/or Classified information is not posted on office walls, in common areas or public zones; and
    8. personal property is safeguarded from access, theft or harm. (This is not an infraction but a best practice).
  4. A Physical Security Inspection Checklist is completed by the individual(s) conducting the inspection.
  5. The Physical Security Inspection Checklist is accessible electronically and the completed checklist is kept by the Manager or Team Lead of the office. A copy is sent to the RSO in preparation for the completion of a monthly (if applicable) formal Security Inspection Report.
  6. A formal Security Inspection Report is completed by the coordinating RSO and submitted to the CSO once a month (if applicable).

8. Roles and Responsibilities

8.1 Chief Security Officer (CSO)

  • develops and maintains ESDC security policy instruments, including this directive, and supports and monitors their application through the standard monitoring processes;
  • owns the process supporting the application of this Directive and supports its execution through guidance and direction;
  • establishes a risk-based physical security inspection reporting schedule;
  • analyzes formal security inspection reports and takes action on identifying and mitigating risks and/or concerns; and
  • develops and communicates security awareness material to employees.

8.2 Regional Security Offices/Senior Manager – Internal Integrity and Security (regions)

  • develops implementation strategies within established regional governance structures and supports effective application of this Directive, in consultation with key partners;
  • plans and coordinates security inspections to assess, measure and monitor compliance;
  • analyzes completed Physical Security Inspection Checklists, identifies trends and recommends corrective measures and/or mitigation measures; and
  • completes formal report for submission to the CSO.

8.3 Manager

  • oversees that all staff and other individuals have taken the mandatory “Workplace Effectiveness Program” on line course which includes “Stewardship of Information and Workplace Behaviours” and “Security 101 – It Starts with You!”;
  • promotes the Clean Desk Guidelines and other Legislation, Policies, Directives, Standards and ESDC Corporate Policy Instruments.

8.4 Location Lead

  • provides staff access to electronic copies of the Physical Security Inspection Directive and other related security information;
  • reminds all staff and other individuals of what constitutes behaviour that is compliant and non-compliant with the Physical Security Inspection Directive;
  • provides all staff and other individuals with the necessary secure storage equipment or space for the purpose of safeguarding any of ESDC’s assets in their possession;
  • conducts physical security inspections as directed by the RSO and/or Senior Management and provide the report to their RSO; and
  • discusses security violations with staff who have not adhered to the proper security measures outlined in corporate policy instruments and ensures corrective measures are applied in order to prevent recurrence.

8.5 All staff and other individuals:

  • take appropriate measures in accordance with the Physical Security Inspection Directive to safeguard ESDC information and assets and prevent any security violations from occurring;
  • safeguard their personal information and/or assets; and
  • complete the mandatory “Workplace Effectiveness Program” on line course which includes “Stewardship of Information and Workplace Behaviours” and “Security 101 – It Starts with You!”

Note: Upon receipt of a security inspection infraction, all staff and other individuals are to retrieve any information and/or material that was not properly safeguarded as a result of a physical security inspection.

9. Consequences

  • Individuals who do not comply with this directive will be held accountable. Failure to comply with Section 7 – Requirements 3a to 3g of this directive may result in the following measures:
    • A report to the individual and his/her manager to address the infraction. This may include escalation to higher levels of authority and the following measures:
      • action plan to ensure corrective measures based on severity or frequency of infraction;
      • increased inspection frequency for repeat infractions; and
      • disciplinary measures for cases of very severe infractions including the possibility of termination of employment.
  • All infractions will be retained by the RSO for a period of 2 years.

10. References

This Directive should be read in conjunction with or in reference to:

10.1 Legislation

10.2 Treasury Board Secretariat (TBS) Policies, Directives and Standards

10.3 ESDC Corporate Policy Instruments

11. Enquiries

Questions concerning this directive can be addressed by the Regional Security Office.