Corporate Audit of Security - Final Summary Report

Recommendations	Response	Action Plan and Tasks	Responsibility	Target Dates
Audit Recommendation 1 1. Senior management should review the organizational context for security and ensure that all elements of security have a sufficiently high profile by: 1.1 Assessing the appropriateness of the organizational level to which the security function reports; 1.2 Ensuring better integration of the elements between NHQ and the regions; 1.3 Building management team support by incorporating security requirements in the management contracts developed with senior managers across the Department; 1.4 Periodically assessing the security function at regional and local levels against the management contract; 1.5 Revising budgets to help security staff at all levels provide leadership, then evaluating that leadership as part of the security management contract; 1.6 Improving communications by providing resources for inter-departmental information sharing of “best” security practices; 1.7 Benchmarking the investment in security made by other government departments and applying “lessons learned” to the Department.	Several steps have already been taken to address this recommendation. In the last year, CIC raised the profile and awareness of security issues at all levels of the organization. The profile of the DSO has been elevated and given greater access to senior management. A review of the security organization will be completed and benchmarked with the cooperation of several partner agencies. New resources have been allocated to augment IT and Corporate Security capability. CIC will also explore the degree to which a security component should be incorporated into managers’ contracts.	1.1 Assessing the appropriateness of the organizational level to which the security function reports a) Greater visibility and executive access for the DSO The profile of the DSO has been elevated and the DSO has been given greater access to senior management: Formerly, the Director of Administration reported to the DG of Finance and Administration. Now the Director, Administration and Security Directorate, reports to the ADM for Centralized Services Delivery and Corporate Services.	Corporate Security	Completed
b) Review of the security organization and structures A security organizational review has been undertaken to assess the effectiveness of the current CIC security organization, benchmark it against other departments and make recommendations. The DSO will better integrate and coordinate all aspects of security and provide more centralized direction.	DSO	Last Quarter FY 02/03
c) Enhancement of the IT Security and Corporate Security organizations A revised organizational structure that includes changes and enhancements to the IT Security organization staff levels, roles and responsibilities was completed on June 28, 2002. Staffing actions have begun to augment the capability of both the Corporate and IT Security Unit, supported by ongoing funding.	IMTB Chief Information Officer Corporate Security	Completed
1.2 Ensuring better integration of the elements between NHQ and the regions a) Operational Committees The standing Departmental Security Management Committee (DSMC) has been established to formalize communications between the DSO, Corporate Security, Human Resources (HR), IT Security and the regions. Monthly teleconferences are currently held between NHQ and the regions. The DSO participates in the Policy Safety and Health Committee.	DSO Corporate Security HR IT Regions	Completed
1.3 Building management team support by incorporating security requirements in the management contracts developed with senior managers across the Department a) Security contracts with managers The DSMC will undertake a review to assess the feasibility of including an internal security component as part of individual management contracts that include performance measures. 1.4 Periodically assessing the security function at the regional and local levels against the management contract a) Reference to 1.3a will be part of the review.	DSMC HR	Review to be completed by March 31, 2003
1.5 Revising budgets to help security staff at all levels provide leadership, then evaluating that leadership as part of the security management contract a) Major ongoing investment in personnel for IT and Corporate Security incorporated into base budget and infrastructure.	Corporate Security IT	Staffing to be completed by March 31, 2003
1.6 Improving communications by providing resources for interdepartmental information sharing of “best” security practices a) Management forums and conferences A CIC Annual Security Conference has been established in association with the current Annual Administration Conference The DSO will outline the roles and responsibilities of the branches to ensure better communication and share best practices among partners.	DSO	The first annual conference was held November 5-6, 2002 3rd quarter FY 02/03
1.7 Benchmarking the investment in security made by other government departments and applying “lessons learned” to the Department a) Demographic Analysis and Survey of the Security Community The Treasury Board Secretariat (TBS) is conducting a government-wide assessment of the Security Community, in two parts. The demographic analysis extracts factual data available on HR data systems and managers, and the survey solicits direct input from the members of the Community. The results will guide the development and ultimate implementation of a strategic HR plan designed specifically for the Security Community.	TBS DSO	Begun November 2001, results expected 3rd quarter FY 02/03

Recommendations

Response

Action Plan and Tasks

Responsibility

Target Dates

Audit Recommendation 1

1. Senior management should review the organizational context for security and ensure that all elements of security have a sufficiently high profile by:

1.1 Assessing the appropriateness of the organizational level to which the security function reports;

1.2 Ensuring better integration of the elements between NHQ and the regions;

1.3 Building management team support by incorporating security requirements in the management contracts developed with senior managers across the Department;

1.4 Periodically assessing the security function at regional and local levels against the management contract;

1.5 Revising budgets to help security staff at all levels provide leadership, then evaluating that leadership as part of the security management contract;

1.6 Improving communications by providing resources for inter-departmental information sharing of “best” security practices;

1.7 Benchmarking the investment in security made by other government departments and applying “lessons learned” to the Department.

Several steps have already been taken to address this recommendation. In the last year, CIC raised the profile and awareness of security issues at all levels of the organization. The profile of the DSO has been elevated and given greater access to senior management. A review of the security organization will be completed and benchmarked with the cooperation of several partner agencies. New resources have been allocated to augment IT and Corporate Security capability. CIC will also explore the degree to which a security component should be incorporated into managers’ contracts.

1.1 Assessing the appropriateness of the organizational level to which the security function reports

a) Greater visibility and executive access for the DSO

The profile of the DSO has been elevated and the DSO has been given greater access to senior management:

Formerly, the Director of Administration reported to the DG of Finance and Administration.
Now the Director, Administration and Security Directorate, reports to the ADM for Centralized Services Delivery and Corporate Services.

Corporate Security

Completed

b) Review of the security organization and structures

A security organizational review has been undertaken to assess the effectiveness of the current CIC security organization, benchmark it against other departments and make recommendations.
The DSO will better integrate and coordinate all aspects of security and provide more centralized direction.

DSO

Last Quarter FY 02/03

c) Enhancement of the IT Security and Corporate Security organizations

A revised organizational structure that includes changes and enhancements to the IT Security organization staff levels, roles and responsibilities was completed on June 28, 2002. Staffing actions have begun to augment the capability of both the Corporate and IT Security Unit, supported by ongoing funding.

IMTB
Chief Information Officer
Corporate Security

Completed

1.2 Ensuring better integration of the elements between NHQ and the regions

a) Operational Committees
The standing Departmental Security Management Committee (DSMC) has been established to formalize communications between the DSO, Corporate Security, Human Resources (HR), IT Security and the regions.
Monthly teleconferences are currently held between NHQ and the regions.
The DSO participates in the Policy Safety and Health Committee.

DSO
Corporate Security
HR
IT
Regions

Completed

1.3 Building management team support by incorporating security requirements in the management contracts developed with senior managers across the Department

a) Security contracts with managers
The DSMC will undertake a review to assess the feasibility of including an internal security component as part of individual management contracts that include performance measures.

1.4 Periodically assessing the security function at the regional and local levels against the management contract
a) Reference to 1.3a will be part of the review.

DSMC
HR

Review to be completed by March 31, 2003

1.5 Revising budgets to help security staff at all levels provide leadership, then evaluating that leadership as part of the security management contract
a) Major ongoing investment in personnel for IT and Corporate Security incorporated into base budget and infrastructure.

Corporate Security
IT

Staffing to be completed by March 31, 2003

1.6 Improving communications by providing resources for interdepartmental information sharing of “best” security practices

a) Management forums and conferences

A CIC Annual Security Conference has been established in association with the current Annual Administration Conference
The DSO will outline the roles and responsibilities of the branches to ensure better communication and share best practices among partners.

DSO

The first annual conference was held November 5-6, 2002
3rd quarter FY 02/03

1.7 Benchmarking the investment in security made by other government departments and applying “lessons learned” to the Department

a) Demographic Analysis and Survey of the Security Community
The Treasury Board Secretariat (TBS) is conducting a government-wide assessment of the Security Community, in two parts. The demographic analysis extracts factual data available on HR data systems and managers, and the survey solicits direct input from the members of the Community. The results will guide the development and ultimate implementation of a strategic HR plan designed specifically for the Security Community.

TBS
DSO

Begun November 2001, results expected 3rd quarter FY 02/03

Search

Corporate Audit of Security
Final Summary Report

5.1 MANAGEMENT RESPONSE
AND ACTION PLAN (1 of 3)

5.1 MANAGEMENT RESPONSE AND ACTION PLAN (1 of 3)

5.1 MANAGEMENT RESPONSE
AND ACTION PLAN (1 of 3)