Directive on Security Management

Aims to achieve efficient, effective and accountable management of security within departments and agencies.
Date modified: 2019-07-01

Supporting tools

Mandatory procedures:

More information

Topic:

Print-friendly XML
The Directive on Security Management and its Mandatory Procedures took effect on July 1, 2019. It replaced the Directive on Departmental Security Management, as well as the Operational Security Standard - Business Continuity Planning (BCP) Program, the Operational Security Standard on Physical Security, the Operational Security Standard - Readiness Levels for Federal Government Facilities, and the Operational Security Standard: Management of Information Technology Security (MITS).

Appendix C: Mandatory Procedures for Physical Security Control

C.1 Effective Date

  • C.1.1These procedures take effect on July 1, 2019.

C.2 Procedures

  • C.2.1These procedures provide details on the requirements to support the deputy head accountability.

    The procedures and subsections are as follows:

    Procedure Subsection
    Physical security requirements and practices C.2.2
    Physical security controls C.2.3
    Security in the real property and materiel management life cycles C.2.4
    Facility security assessment and authorization C.2.5
    Security inspections C.2.6
    Arrangements C.2.7
    Monitoring and corrective actions C.2.8
  • C.2.2Physical security requirements and practices: Define, document and maintain departmental physical security requirements and practices:
    • C.2.2.1For all departmental materiel, materiel held in trust by the department, and other movable assets that support government programs, services and activities, including IT assets, controlled goods, heritage assets, communications security (COMSEC) material, acquisition cards, travel cards, cash, negotiable instruments and any other valuable or sensitive assets:
      • C.2.2.1.1Assign a security category to assets commensurate with the degree of injury that could reasonably be expected as a result of their compromise, and group, where appropriate, assets of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
      • C.2.2.1.2Identify and assess threats to which assets are exposed; and
      • C.2.2.1.3Define and document requirements for ensuring the protection of assets under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
    • C.2.2.2For all facilities that support departmental programs, services or activities, or for which the department has custodial responsibility:
      • C.2.2.2.1Identify relevant information, asset and employee protection and business continuity requirements;
      • C.2.2.2.2Identify and assess threats to which facilities are exposed; and
      • C.2.2.2.3Define and document requirements for ensuring the protection of departmental facilities throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and understandings; and
    • C.2.2.3Define and document departmental security practices for implementing and maintaining physical security controls, including practices for conducting facility security assessment and authorization, and security inspections of facilities, in accordance with departmental security requirements.
  • C.2.3Physical security controls: Define, document, implement and maintain security controls to meet departmental physical security requirements, in accordance with departmental practices.
    • C.2.3.1Design of the facility environment: Design, integrate and manage the external and internal environments of a facility to create conditions that together with specific security controls, detect attempted or actual unauthorized entry and activate an effective response to meet departmental security requirements, including electronic surveillance.
    • C.2.3.2Access management: Implement measures to ensure that access to information in physical form, government facilities and other assets, including sensitive equipment, telecommunications cabling and information systems, is restricted to authorized individuals who have been security-screened at the appropriate level and who have a need for access:
      • C.2.3.2.1Issue identification to employees;
      • C.2.3.2.2Issue access cards to employees and other individuals to identify the facility or zone to which the bearer has authorized access, as applicable;
      • C.2.3.2.3Define and establish a discernable hierarchy of physical security zones to progressively control access, and provide consistent protection levels that are commensurate with the threat type and level and with the sensitivity of the programs, services, activities, information or assets in each zone;
      • C.2.3.2.4Authorize, control and monitor individuals and assets entering and, where appropriate, exiting government facilities, zones and sensitive areas, and maintain records of these activities, in accordance with departmental security practices and with records retention and disposition schedules; and
      • C.2.3.2.5Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
    • C.2.3.3Secure storage, transport, transmittal and destruction: Implement measures to protect information in physical form, including assets at rest (for example, in use or in storage), in transit (for example, in transport or in transmittal), and through appropriate destruction, in accordance with their sensitivity and with departmental security practices:
      • C.2.3.3.1Identify authorized secure physical storage, transportation, transmittal and destruction devices, methods and services for use in the department;
      • C.2.3.3.2Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority; and
      • C.2.3.3.3Where appropriate, apply relevant security markings to sensitive assets to alert users of the level of protection that should be applied to the asset.
    • C.2.3.4Additional controls: Implement additional controls, as required, to meet departmental security requirements or to achieve a higher readiness level in the event of emergencies or increased threat situations (for example, screening of incoming mail or deliveries for suspicious packages, special discussion areas, secure rooms, technical surveillance countermeasures, emergency destruction instructions, and measures for safeguarding sensitive or valuable information or assets).
  • C.2.4Security in the real property and materiel management life cycles: Integrate security considerations into real property and materiel management processes and throughout all stages of the facility and materiel management life cycles:
    • C.2.4.1Integrate security considerations into the planning, site selection, design, procurement, contracting, construction, modification, operation and maintenance of facilities; and
    • C.2.4.2Integrate security considerations when assessing requirements, analyzing options and planning the acquisition, operation, use, maintenance, disposal and replacement of materiel.
  • C.2.5Facility security assessment and authorization: Implement facility security assessment and authorization processes to establish and maintain confidence in the security of facilities that are used, occupied or managed by the department, while considering stakeholder security requirements:
    • C.2.5.1Assess whether security controls are effective and whether applicable security requirements are met;
    • C.2.5.2Implement and document risk mitigation measures when security requirements cannot be fully met before putting a facility into operation, subject to approval by an individual who has the required authority;
    • C.2.5.3Authorize facilities before putting them into operation through established facility security assessment and authorization processes;
    • C.2.5.4Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
    • C.2.5.5Evaluate and maintain authorization throughout the use, occupancy and maintenance of a facility.
  • C.2.6Security inspections: Conduct security inspections in facilities where sensitive or valuable information or assets are handled or stored or in facilities that support critical services or activities, to verify compliance with departmental security practices:
    • C.2.6.1Ensure that security inspections are conducted by authorized persons and in accordance with defined processes and timelines;
    • C.2.6.2In emergency or increased threat situations, increase the frequency or depth of security inspections to achieve a higher readiness level; and
    • C.2.6.3Report issues of non-compliance in accordance with defined processes to enable the implementation of corrective actions, and report to the responsible authorities, as applicable.
  • C.2.7Arrangements: Establish documented arrangements (for example, lease or occupancy agreements) that define pertinent security requirements and respective security responsibilities where the department relies on or supports another organization, including but not limited to other federal departments, other orders of government, and private sector suppliers and partners, to meet departmental physical security requirements:
    • C.2.7.1For facilities where the department is the building custodian:
      • C.2.7.1.1Define base building security requirements;
      • C.2.7.1.2Provide base building security;
      • C.2.7.1.3Inform any tenants of the base building security provided in tenant-occupied facilities;
      • C.2.7.1.4Consider tenant security requirements when conducting site selection; and
      • C.2.7.1.5Coordinate the integration of additional safeguards into base building infrastructure to meet tenant security requirements;
    • C.2.7.2For facilities where the department is a tenant:
      • C.2.7.2.1Define tenant security requirements, while considering resources and activities in tenant-occupied facilities, in consultation with other stakeholders with whom facilities are shared, as applicable;
      • C.2.7.2.2Inform the custodian department of its tenant security requirements, to support site selection and tenant fit-up; and
      • C.2.7.2.3Verify that additional safeguards have been integrated into base building infrastructure to meet tenant security requirements;
    • C.2.7.3For multi-tenant facilities occupied or managed by the department, establish or verify that mechanisms are in place to enable the coordination of security activities, including a building security committee, alignment of the hierarchy of security zones for common areas, identification of responsibilities of the lead tenant, and security event management processes; and
    • C.2.7.4When individuals from another department or organization require regular access to facilities occupied or managed by the department, establish or verify that mechanisms are in place to address security requirements and enable the coordination of security activities, including security screening, access management and security event management.
  • C.2.8Monitoring and corrective actions: Maintain an effective physical security posture:
    • C.2.8.1Monitor threats and vulnerabilities;
    • C.2.8.2Analyze access records;
    • C.2.8.3Review the results of security assessments, security inspections and post-event analysis; and
    • C.2.8.4Take pre-emptive, reactive and corrective actions to ensure that physical security practices and controls continue to meet the needs of the department.
Report a problem or mistake on this page
Date modified: