harmonized threat risk assessment methodology

Royal Canadian Mounted Police

www.rcmp.gc.ca

Common menu bar links

• Français

Home > LSA for Physical Security > Publications 

Institutional links

Lsa for physical security, publications, national rcmp.

• About the RCMP
• Family Corner

Navigate by

• A-Z site index
• Proactive Disclosure
• Acts and Regulations

Policy Instruments

• Goverment of Canada Physical Security Guides
• Policy on Government Security
• Directive on Security Management
• Operational Security Standard on Physical Security - Rescinded [2019-06-28]

Government of Canada Physical Security Guides

• GCPSG-001 (2020) - Equipment Selection Guide for Paper Shredders
• GCPSG-002 (2020) - Blast Mitigation Considerations Guide
• GCPSG-003 (2021) - Security Operations Centre Design Considerations Guide
• GCPSG-004 (2020) - Security Lighting Considerations Guide
• GCPSG-005 (2023) - Security Inspections Guide (Access is restricted to Government of Canada departments and agencies)
• GCPSG-006 (2024) - Access Management Guide (Access is restricted to Government of Canada departments and agencies)
• GCPSG-007 (2022) - Transport, Transmittal and Storage of Protected and Classified Material (Access is restricted to Government of Canada departments and agencies)
• GCPSG-008 (2022) - Physical Security Considerations for Remote and Telework Environments
• GCPSG-009 (2022) - Security Fencing Considerations Guide
• GCPSG-010 (2022) - Operational Physical Security Guide (Access is restricted to Government of Canada departments and agencies)
• GCPSG-015 (2023) - Guide to the Application of Physical Security Zones (Access is restricted to Government of Canada departments and agencies)
• GCPSG-016 (2022) - Guide to the Facility Security Assessment and Authorization Process (Access is restricted to Government of Canada departments and agencies)
• GCPSG-017 (2024) - Special Discussion Area Construction Guide (Access is restricted to Government of Canada departments and agencies)
• GCPSG-018 (2024) - Guide to the Risk Management Process for Physical Security (Access is restricted to Government of Canada departments and agencies)
• GCPSG-019 (2023) - Protection, Detection, Response, and Recovery Guide (Access is restricted to Government of Canada departments and agencies)
• G1-001 - Security Equipment Guide (Access is restricted to Government of Canada departments and agencies) Information pertaining to paper shredders in the SEG is no longer valid, refer to GCPSG-001
• G1-005 - Preparation of Physical Security Briefs (01/2000)
• G1-028 - Security Use of Mobile Shelving (09/2005)
• G1-031 - Physical Protection of Computer Servers (03/2008)
• G13-01 - Secure Storage Room Guide (07/2013)
• G13-02 - Secure Demising Wall Guide (07/2013)

The RCMP 's Lead Security Agency endorses the Security Centre of Excellence Facility Security Assessment and Authorization. A copy of the toolkit can be found at Facility Security Assessment and Authorization Toolkit: GCcollab .

• Harmonized TRA Methodology - Tool TRA-1

The Harmonized Threat and Risk Assessment (TRA) Methodology is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC) and the Commissioner, Royal Canadian Mounted Police (RCMP).

Harmonized TRA Methodology (hosted by CSEC)

The following publications have been archived.

If you are an employee of the Canadian government and would like to obtain an archived publication in PDF format, please send a request by email to [email protected] with the following information: contact name, department or agency, phone number, email address and publication number/name.

• G1-002 - Security Lighting (08/1987)
• G1-003 - Glazing (04/2000)
• G1-004 - Construction of a Special Discussion Area (08/1998)
• G1-006 - Identification Cards / Access Badges (07/2006)
• G1-007 - Security Sealing of Building Emergency / Master Keys or Cypher Lock Codes (03/1991)
• G1-008 - Guidelines for Guard Services (04/2001)
• G1-009 - Transport and Transmittal of Protected and Classified Information (12/2006)
• G1-010 - Security Connotations of the 1995 National Building Code (04/1998)
• G1-011 - Overhead Door Specifications (08/1987)
• G1-012 - Suspended Ceiling Systems (08/1987)
• G1-013 - Security Control Room Space Requirements (09/2006)
• G1-014 - Exterior Fixed-ladder Barrier Specification (08/1987)
• G1-015 - Entry Controls for Overhead Doors (12/1981)
• G1-016 - Master Key Systems (12/1981)
• G1-017 - Hardware (02/1985)
• G1-018 - Doors and Frames (03/1985)
• G1-019 - Vaults (03/1985)
• G1-024 - Control of Access (08/2004)
• G1-025 - Protection, Detection and Response (12/2004)
• G1-026 - Application of Physical Security Zones (09/2005)
• G1-029 - Secure Rooms (04/2006) Notice: RCMP guide G1-029 Secure Rooms has been replaced by two new companion guides: G13-01 Secure Storage Room Guide and G13-02 Secure Demising Wall Guide

Threat Risk Assessment (TRA) for Physical Security

• First Online: 01 June 2021

Cite this chapter

• Darek Baingo 11  

Part of the book series: Advanced Sciences and Technologies for Security Applications ((ASTSA))

438 Accesses

3 Altmetric

Maintaining the physical security of an organization entails navigating an intricate landscape of threats, adversaries, systems, and policies. As organizations evolve, become more complex and spatially distributed, security risks increase exponentially and become difficult to fully understand. Organizations entrusted with critical missions and ownership of high risk/high value assets realize that physical protection systems and policies are crucial to prevent unacceptable consequences arising from harmful influences, whether deliberate, accidental or natural. The more serious the consequences, the more important it is to have a high degree of confidence that physical protection will be as effective as planned. The highest level of confidence in physical protection is best achieved through the design and implementation of protective measures that are linked to a thorough understanding of the threats and vulnerabilities. This is achieved through comprehensive and up-to-date analysis of the motivations, intentions, and capabilities of potential adversaries against which protection systems are designed and evaluated. This chapter presents the conceptual development of a Threat Risk Assessment (TRA) Methodology for physical security planning and design. The methodology addresses critical knowledge and capability gaps in TRA approaches, and aims to strengthen the transparency, robustness and defensibility of an organisational Security Risk Management program. The chapter concludes with a discussion of lessons learned and recommendations for future work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Harmonized Threat Risk Assessment Methodology (2007) Ottawa, Royal Canadian Mounted Police, Communications Security Establishment (TRA-1), Available at: https://cyber.gc.ca/en/guidance/harmonized-tra-methodology-tra-1 . Date accessed on 22 Jan 2021

Morris R, Bureaux J, McDonald S (2017) A comparative review of the threat risk assessment methodologies, defence research and development Canada, DRDC-RDDC-2017-C130

Google Scholar  

Facility security plan: an interagency security committee guide, 1st edn, US, 2015-02, Interagency Security Committee (ISC)

Reference manual to mitigate potential terrorist attacks against buildings, 2nd edn, 2011-10, Department of Homeland Security.

Hazard identification and risk assessment workbook, Toronto, Ontario, 2012, Emergency Management Ontario

The design-basis threat, an interagency security committee report, 9th edn, US, 2014-08, Interagency Security Committee (ISC)

Risk management process of federal buildings, 2nd edn, 2016-11, Interagency Security Committee (ISC)

Guide for conducting risk assessments, Gaithersburg, Maryland, 2012 Sept, US Department of Commerce, National Institute of Standards and Technology

Assessing and managing the terrorism threat, Washington, DC, 2005, US Department of Justice

Canadian Armed Forces (2007) B-GJ-005-314/FP-050 CF force protection assessment guide (FPAG). National Defence, Ottawa

ISO 31010:2019 Risk management–risk assessment techniques, International Organisation for Standardisation, 2019

Threat and hazard identification and risk assessment guide—comprehensive preparedness guide, 2nd edn, Aug 2013, Department of Homeland Security

National institute of building sciences, whole building design guide (WBDG) methodology: https://www.wbdg.org/ . Date accessed on 20 Jan 2021

Baingo D, Friesen SP (2020) Threat risk assessment implementation project, defence research and development Canada, DRDC-RDDC-2020-L226

Morris R, Bureaux J, McDonald S (2018) Draft methodology for the development of a DND/CAF national design basis threat assessment, Defence Research and Development Canada, DRDC-RDDC-2018-C238, Dec 2018

Morris R, Bureaux J, McDonald S (2018) Procedures for the selection and prioritization of DND/CAF installations for baseline TRA conduct, Defence Research and Development Canada, DRDC-RDDC-2018-C273, Dec 2018

Field Manual 3-37.2 Antiterrorism, headquarters department of the Army, Feb 2011. www.us.army.mil . Accessed on 12 Oct 2020

Download references

Author information

Authors and affiliations.

Centre for Security Science, Defence R&D Canada, Ottawa, Canada

Darek Baingo

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Darek Baingo .

Editor information

Editors and affiliations.

College of Public Health, University of South Florida, Tampa, FL, USA

Anthony J. Masys

Annex A: Comparative Analysis of TRA Methodologies

This Annex contains the comparative descriptions of TRA methodologies as related to each phase of the baseline HTRA using the metrics identified in Sect.  2 .

Requirement and Scope Definition Phases

2.1 requirements.

There was a wide variance in how assets were identified and classified/categorized between the various methodologies. However, the requirement to conduct a TRA falls out of policy direction, which should be based on specific criteria, such as:

large capital project definition, development and delivery;

system development; and

establishment of an organisation’s baseline.

The establishment of a baseline TRA for critical infrastructure, equipment, personnel, information etc., is widely recognized as a best practice. Once a baseline TRA has been completed, the requirement to revisit or revalidate a TRA may be caused by any number of “triggers”. Roles and responsibilities to identify and act upon these triggers also need to be instituted. Triggers include but are not limited to:

change in any aspect of threat;

changes in asset inventory or purpose;

identification of safeguard failures; and

a cyclical review process.

Whether the TRA model under development will be used for IT system implementation and maintenance is unclear and requires resolution. What is clear is that all TRA models in use need to use the same terminology and key definitions, and reporting should be funnelled through a central national level OPI via the appropriate chain of command.

2.2 Scope and Definition

Scalability of a TRA methodology was deemed to be of critical importance. It is clear that a TRA may be required for various reasons, and at various levels within the organisation. This means that a TRA may be required for a single asset (e.g., high value stand-alone building), at a regional/international level or strategically. Similar to the aforementioned need to clarify the organisational policy regarding the requirement to conduct a security risk assessment, clear policy direction regarding the responsibility for determining the scope and definition is also required. It is important that local staff be engaged for their input during this phase, as incorporation of local knowledge during this phase will be valuable in ensuring that the correct assets are being assessed for the right reasons.

Asset Identification and Valuation Phase

3.1 asset identification.

During the brainstorming sessions, the question as to whether to include both tangibles and intangibles as assets in the new methodology was debated at length. Among the models reviewed, only the HTRA identified intangibles (e.g., morale, public confidence etc.) as assets. It was decided that intangibles would be assessed as a consequence or impact, rather than an asset, as part of the new methodology.

There are numerous processes for the identification of assets, and at an even more basic level, how to define an asset. For those models that did identify (tangible) assets, they were usually defined in terms of the following categories:

Information;

Facilities;

Infrastructure (e.g., equipment/systems); and

During the brainstorming sessions, it was determined that for the Departmental methodology, services or capabilities would not be considered as a category of tangible asset; the first four categories are required to provide services, and hence the compromise of these would result in an impact on the ability to deliver of a service.

Several of the methodologies provided lists of assets which served as an aide memoire, providing examples of the various types of assets within each of the categories. Within the department there are already databases of some categories of assets (e.g., personnel, facilities, equipment etc.), that may be exploitable for the purposes of identifying them within a specific geographical location (i.e., base/wing). There was some discussion during the brainstorming sessions that perhaps valuation of an asset in terms of operational criticality should take place first, allowing for identification and selection of critical assets during the scope and definition phase. Using the ISC model’s Facility Security Level (FSL) [ 6 ] as a baseline, the development of a tool for determining and assigning a facility’s (or asset’s) value, is worthy of consideration.

3.2 Asset Valuation

There were two main focuses of the various methodologies reviewed in terms of asset valuation. One approach was to define the criticality of the asset using various language ladders or parameters, while the other approach focussed on assigning a value to an asset by determining the impact of its compromise using parameters such as confidentiality, availability and integrity. Both these methods involved some degree of subjectivity. The latter process was much more complex, albeit more granular.

It was stressed during the brainstorming sessions that the removal of as much subjectivity as possible from the asset valuation process was very important. This would indicate that the development of a strategic baseline asset valuation table (which would also require the development of a strategic asset identification table) would be a useful tool, similar to the FSL developed as part of the ISC documentation. However, assigning values to all assets at a strategic level is likely not prudent. Local input into the importance of specific assets needs to be included in the methodology, as local experience and intuition are important aspects of the valuation process. Therefore, a combination of both approaches would likely be of the greatest benefit. Another important consideration in terms of asset valuation is asset redundancy.

Similar to asset identification, the use of current databases for extracting asset values, at least in monetary terms and, likely in other terms as well, may be feasible and should be investigated. Asset valuation may be tied to the BCP process, and more specifically the BIA which identifies critical services albeit from a corporate perspective.

Threat Assessment Phase

Threat assessments were for the most part considered in three broad categories. These are natural hazards, accidents and deliberate threats such as terrorism. When assessing a threat, it is accepted practice that the impact of a threat is considered in relation to the likelihood of the threat actually occurring. Use of word ladders seemed to be an effective method of reducing subjectivity.

Within the Department, the threat picture is continuously monitored, and the products developed (or at least the process used to develop them) should be leveraged for use in TRAs. For this current capability to be leveraged, TRA threat data requirements will need to be defined. The development and use of a DBT product are worthy of investigation, and in fact may be a best practice. This could include the development of a baseline TRA threat assessment template for completion by intelligence circles; collection and inclusion of information from other federal departments on natural hazards such as earthquakes etc., needs to be explored further. For the production of this type of threat product to be generated, roles and responsibilities will need to be assigned both within intelligence circles and for those that would need to be in receipt of these products. Additionally, a “trigger” mechanism to alert that a change in threat (i.e., probability, modus operandi etc.) may require a TRA to be revisited, should be considered for inclusion in the methodology of the future. This would necessitate that the process allows for the variation of threat over time.

Once the baseline threat is developed, it would need to be reviewed and adapted for use at the local level. Other local threat metrics are already produced and should be exploited. Examples include safety reports, security violation reports and PSS reports; the information provided in these types of products should be considered when developing the local threat picture. The local threat picture should also include crime statistics and trends.

The review process indicated that an increased complexity in the threat assessment process resulted in greater scalability and adaptability; careful consideration needs to be given to the scalability and adaptability requirements of the methodology under consideration. Given the confined context of the intended application (DND/CAF versus all of government), a reduction in scalability and adaptability may be entirely warranted, which may then result in a corresponding reduction in the complexity required for the development of threat assessments.

Vulnerability Assessment Phase

All of the methodologies that used a vulnerability assessment phase, used on-site assessments and interviews as a major data gathering process. Assessment of the data ranged from very complex to being of insufficient complexity. Once again complexity could be correlated to what the methodologies were trying to address in terms of assets, and the impact on scalability and adaptability was similar to that of the threat assessment process; a reduction in complexity may be warranted by the reduced requirement for adaptability and scalability in the global sense.

All methodologies used some type of language ladder to define, and in some cases quantify, impacts/vulnerabilities. It is suggested that an adaptation of this process would also work best for the methodology in question.

During the brainstorming sessions, it was clear that there was no requirement to reassess minimum security safeguards; this was captured quite adequately by the PSS. There is a requirement however, to assess whether the minimum safeguards are effective in countering the current threat, thus reducing vulnerability to an acceptable level.

Reviewing PSS results, safety and security reports etc., prior to the conduct of the TRA, may assist in exposing possible vulnerabilities, and provides some measure of the ability of baseline security/safety measures address the threat.

Risk Assessment Phase (and Calculation of Residual Risk)

While these two phases were presented as distinct processes, they both essentially generate the same information; a descriptor of what the risk is after safeguard effectiveness has been factored in. The formulas used are entirely dependent on the processes that have preceded this phase within each methodology. The following three formulas are provided for comparison purposes:

FEMA—the risk assessment integrates the likelihood/probability of the attack (threat) occurring with the probability that a successful attack will produce consequences of a certain magnitude, given the vulnerabilities of the target:

HTRA—this tool uses values for frequency, impact/consequences and a “change in risk” factor (a correction based on predicted changes to frequency and vulnerability).

The DOJ risk is calculated by the following equation:

For Residual risk the HTRA assigns numerical scores from 1 to 5 to asset value, threat and vulnerability, based on their assessed descriptor score of very low to very high. Residual Risk is the product of Asset × Threat × Vulnerability. In both cases it was assessed that these calculations provide a sufficient scale on which to base mitigation decisions. The complexity of the calculation was assessed as very complex.

Risk Mitigation Strategy (Recommendations Phase)

The identification of unacceptable risks and the provision of recommendations to mitigate those risks to acceptable levels, are the critical outputs of the TRA. The method used to determine what constitutes an unacceptable risk varied from a consultative process to the use of a Target Risk Level (e.g., medium) as the acceptable level of risk, hence anything above medium is unacceptable.

The identification of additional safeguards to reduce risk, requires that the personnel used for this process have an in depth and up-to-date understanding of what the possible remedies may include. Additionally, the inclusion of a cost benefit analysis, especially when more than one solution exists, is of significant importance for decision makers.

The ISC use of Facility Security Levels (which could be looked at as facility criticality levels), uses weighted values for various parameters such as facility size, importance, population, replacement value etc., to establish a priority rating for buildings; recommendations from the TRA are assessed against the FSL and additional documentation that lists physical standards for each FSL/residual risk situation.

The use of TRLs, and the incorporation of a process similar to the use of FSLs, as well as the development of a list of corresponding additional safeguards to reduce risk levels to acceptable standards, based on the criticality of the asset, is worthy of further investigation.

Annex B: Localized Design Basis Threat

Overview of the ldbt and use in the tra methodology, 2.1 undesirable events (ue).

The DBT identifies and rates “Undesirable Events” (UEs) based on their likelihood and impact. A UE will fall into one of three categories of threat types; Deliberate , Accidental or Natural , with each UE identifying and defining a specific threat event. Some examples of UE are provided in Table 4 (Deliberate UE), Table 5 (Accidental UE) and Table 6 (Natural UE).

The LDBT represents the UE that are considered relevant to the Assets being assessed for a TRA. The LDBT is based on the Regional DBT which is assessed locally to ensure that the local threat environment is accurately represented. UEs identified in the Regional DBT are evaluated by the TRA Team Leader and appropriate Asset representatives; the resulting UE ratings are applied to the TRA process.

2.2 UE Ratings

Each UE is assessed regionally to determine its relevance to the Unit being assessed and subsequently “localised” to ensure that the UE ratings being used for the TRA represent local influences. As an example, the UE for “Earthquake” may have a higher probability of occurring (and severity/impact) in Esquimalt than Halifax. As a result, this UE may be rated “High” in Esquimalt and “Low” in Halifax. Table 7 provides the values and associated ratings for individual UEs, while Table 8 provides normalised Unit threat values and their associated ratings.

An accurate DBT assessment is critical to the success and credibility of the TRA process. In this methodology, the DBT provides the threat values necessary inform the vulnerability assessment and calculate risk. The TRA team leader should be well versed with the DBT methodology

Annex C: Targeting Analysis

The targeting analysis process uses six Target Selection factors (TSFs) that were developed specifically for the TRA methodology. Care was taken to ensure that TSFs assessed did not duplicate criteria otherwise accounted for in the NDBT and Strategic Asset Type valuation processes

Specific rating criteria have been developed for each TSF. Each rating criteria represents a specific variable associated with susceptibility factors relevant to a specific TSF. Each rating criteria within a TSF contains language ladders which have been designed to remove as much subjectivity as possible; the most accurate descriptor for each rating criteria is selected which will result in a value being assigned. The TSFs developed for use in the prioritization methodology are presented below

TSF 1— Symbolism : Assesses the degree to which an installation symbolises—or may be perceived by an aggressor to symbolise—the Government of Canada (GoC), the Canadian military, Canadian interactions with foreign militaries, or other activities associated with the installation which may represent symbolic targets to an attacker.

TSF 2— Recognisability : Assesses the degree to which an installation’s local and/or regional profile will impact its susceptibility to a UE. An installation’s profile includes its physical footprint, the degree to which it is a visible presence in the community where it is located, and its identifiable attributes.

TSF 3— Accessibility : Unfettered access to an installation and the ability to conduct undetected pre-attack surveillance on it increase its susceptibility to a UE. TSF 3 assesses the ease with which an installation can be accessed by examining the daily access control posture of the installation and identifying factors related to the ease with which surveillance could be conducted. It also examines the installation’s compliance with Departmental Security Policy related to physical security.

TSF 4— Proximity : Examines the susceptibility to a UE related to an installation’s surroundings, including identifying factors associated with the neighbourhood in which the installation is located. Population density can be associated with the amount of pedestrian and vehicle traffic in the vicinity of an installation, increasing potential victims of a UE and/or potential concealment of an attacker. The identification of other potential nearby targets in the vicinity of the installation increases the attractiveness of an attack in the vicinity and accordingly on the installation.

TSF 5— Recuperability : An installation’s susceptibility to a UE is considered to increase as its ability to recover or recuperate from it decreases. TSF 5 assesses the installation’s ability to maintain its core mission by identifying its ability to mount response operations which can mitigate damages and/or injury and by identifying the scale of redundancies available to it, which are necessary to resume regular operations associated with mission accomplishment.

TSF 6— Demographic : Examines the susceptibility of an installation to a UE based on its demographic, including an assessment of military personnel composition, civilian employee composition, visitation/access to members of the general public, and the visit history of foreign military members, dignitaries, or Internationally Protected Persons (IPP).

All 6 TSF ratings for each installation are added together to calculate the Asset’s Targeting Analysis value ( ATv ), which is used in the calculation of the Prioritization Score. A higher ATv represents a higher assessed susceptibility to a UE.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Baingo, D. (2021). Threat Risk Assessment (TRA) for Physical Security. In: Masys, A.J. (eds) Sensemaking for Security. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-71998-2_14

Download citation

DOI : https://doi.org/10.1007/978-3-030-71998-2_14

Published : 01 June 2021

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-71997-5

Online ISBN : 978-3-030-71998-2

eBook Packages : Political Science and International Studies Political Science and International Studies (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Skip to main content
• Skip to "About"

Language selection

My lh learning account, summary of 508 – harmonized threat and risk assessment (htra) methodology within the itsg-33, maintenance.

The site will be temporarily unavailable for approximately 30 minutes starting at noon (ET) today

508 – Harmonized Threat and Risk Assessment (HTRA) Methodology within the ITSG-33

Course description.

In this 3-day course, you will learn about the Threat Risk Assessment methodology using the ITSG-33 ISSIP and CSE’s new ASTRA tool to help you conduct your assessments.  The course will further your knowledge of ITSG-33 in a practical application for any Government IT project. 

Course Outline

Module 1: htra overview.

• Relate the HTRA to the requirements for the assessment of threats and risks
• Recognise the structure of the HTRA publication
• Describe the phases of the HTRA process

Module 2: HTRA Activities

• Describe the HTRA activities
• Apply the HTRA activities for a variety of mandates

Module 3: Using the HTRA within ITSG-33 ISSIP

• Situate the HTRA within the ITSG-33 risk management lifecycle process
• Situate the HTRA activities within the ITSG-33 ISSIP
• Describe the adaptations that are recommended to use the HRTA in the ITSG-33 ISSIP  

Module 4: Practical Examples and TRA Tool

• Describe the practical examples for the exercises
• Use the TRA tool to complete the exercises

Module 5: Support Project Initiation Phases

• Describe the TRA activities of the ISSIP conducted during the following phases of the generic SDLC process:
• Requirements analysis
• Complete these activities in an IT project

Module 6: Support Risk-based Design

• High-level design
• Detailed design

Module 7: Assess Residual Risks and Reporting

• Describe the TRA activities of the ISSIP conducted during the installation phase of the generic SDLC process

Target Audience

Project/Program Managers, IT Security Designers, Architects, Engineers and Managers

Recommended Prior Learning

• Course 601- Introduction to IT Security Management, Knowledge of GC Security Risk Management is Beneficial
• Course 104 - IT Security Risk Management:  A Lifecycle Approach (ITSG-33)

Serious risk. Serious innovation.

Security // Physical Treat and Risk Assessment

Our team builds and refocuses physical security frameworks which include governance structures, policy suites, personnel and physical security measures, contingency plans, government security plans, training and awareness programs and physical security audits.

It hardly needs saying that enterprises wishing to operate successfully in today’s climate need sound physical security programs which fully align with strategic business goals and IT structures.  TRM delivers these programs through a framework composed of governance; policy suites; personnel, information and physical security measures; critical infrastructure protection; risk management schemes; business continuity and crisis management plans; employee security training and awareness and the audit of review of existing security systems.

Risk management is a key component which crosscuts all components of physical security.  It is more than a sign-off by an executive.  It is an important process where all participants demonstrate astuteness and accountability to make security systems function effectively and beneficially.

Critical infrastructure does not have its sole nexus to nations.  Every organization has a critical subset of its infrastructure without which it could not function.  It is the role of security to identify and protect this infrastructure while acknowledging its criticality.  Few organizations take this approach.

TRM security frameworks are extensible.  As companies, departments and organizations grow, a robust security framework grows easily with business needs.  Today we see more off-site work and a proper security framework is designed to accommodate business activities wherever they must be performed.

We believe that robust security postures create competitive and reputational advantage.  They are business facilitators, showing employees how to securely execute operations and providing indicators of business activities which may be too hazardous to undertake.

TRM provides a comprehensive framework and improves existing systems, delivering them as industry-best.

List of benefits

Strong security frameworks are marketable and can be held up to shareholders and stakeholders as best business practices.

Strong security programs are enablers; protecting business operations and helping business operatives understand limitations.

Governments live in multi-faceted compliance regimes of which security is a major component.  A holistic approach to security plans via complete frameworks aids in achieving compliance.

Our personnel have had long careers in the government and private sector and bring broad perspectives and imaginative solutions to all security challenges.

We use coordinated structures and known methodologies to corporate security programs which minimizes the waste of “security by walking around.”

So why should you engage the TRM team?

Physical and IT security have been converging for decades; TRM has recognized this and produced an integrated offering to suit business needs.  Though new, the physical security practice has been carefully integrated with existing IT practices to leverage all company knowledge to deliver exciting new services.

We have carefully chosen our new practice lead from among many other competent practitioners.  He brings a breadth and depth of service delivery through having provided security solutions to the upper echelons of the Canadian government (Parliament of Canada, Supreme Court) as well as national and international engagements over the past 15 years.

TRM has extensive experience providing services to government and chooses its personnel based on their knowledge of government, its policies and its needs.  For example, our practice lead is a specialist in delivering the Harmonized Threat and Risk Assessment Methodology, a requirement of the Policy on Government Security.

The new TRM Physical Security Practice is a service which has been carefully built to meet the security needs of government and the public and private sectors.  Though new to TRM, it is poised to deliver best-in-class physical security services complimented by TRM’s traditional IT security strength.  By integrating existing IT Security strength with a new, experienced security practice team, TRM has created a unique offering for the Ottawa market and beyond.

Please contact us if you would like more information on the Physical TRA options that TRM provides.

Find a job or contract opportunity

TRM leverages over 20 years of staffing and IT services delivery in supporting all our practices and our clients HR staffing needs.

SEARCH JOBS HERE

News and Events

• Website re-fresh, leveraging Adobe AEM
• A return to its roots! Now under the sole leadership of Norman Carr
• TRM awarded single provider contract with the Department of Fisheries and Oceans
• TRM is proud to be hosting a book signing Nov. 3rd

TRM TECHNOLOGIES INC. 280 ALBERT STREET, SUITE 1000 (10th FLOOR) OTTAWA, ONTARIO K1P 5G8 EMAIL: [email protected] T: 613-722-8843 F: 613-722-8574

STAY CONNECTED

© 2016 TRM technologies Inc. All Rights Reserved.

Language selection

• Français fr

Tools and services

From: Canadian Centre for Cyber Security

One way that the Cyber Centre contributes to improving the cyber security ecosystem is by releasing some of its cyber defence tools to the open-source community.

Assemblyline

Assemblyline is a malware detection and analysis tool developed by the Cyber Centre

Common Criteria

Common Criteria is an international program in which accredited laboratories test IT products against standard cyber security specifications

Cyber Security Audit Program

The Cyber Security Audit Program is part of a series of free tools for auditors to use to assess the cyber security status of their organizations

Canadian Industrial TEMPEST Program

The Canadian Industrial TEMPEST Program certify TEMPEST equipment as an emission security (EMSEC) control

Crypto Module Validation Program (CMVP)

The Cryptographic Module Validation Program certifies IT products that are ready for procurement

Harmonized Risk Assessment Methodology

The Harmonized Threat and Risk Assessment Methodology is a set of tools designed to address all assets, employees, and services at risk

Howler is a triage platform designed to assist Security Operations Centre (SOC) teams in streamlining their workflow and enhancing their ability to handle alerts.

A glossary listing relevant cyber security terms and definitions

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for your help!

You will not receive a reply. For enquiries, please contact us .

Audit of Physical Security

December 2017

PDF Version (116 Kb, 24 Pages)

Table of contents

Executive summary, 1. background, 2. audit objective and scope, 3. approach and methodology, 4. conclusion, 5. findings and recommendations, 6. management action plan, appendix a: audit criteria, appendix b: relevant policies, directives, and guidance.

The Audit and Assurance Services Branch of Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) included the Audit of Physical Securityin the Indigenous and Northern Affairs Canada's 2017-2018 to 2019-2020 Risk-Based Audit Plan (RBAP), approved by the Deputy Minister on March 13, 2017. The audit was identified as a high priority because physical security and the well-being of employees as well as the safeguarding of assets are important to the achievement of the departmental business objectives. The audit was initiated in June 2017, and audit fieldwork concluded in September 2017. This report details the results of the audit.

Audit Objective and Scope

The objective of the audit was to assess the adequacy and effectiveness of the management control framework in place to support the physical security function at CIRNAC / ISC as well as its compliance with the Treasury Board's Policy on Government Security and other relevant policies, directives and standards.

The scope of the audit was to examine the management control framework, including the governance, risk management and internal controls in place to ensure the protection of personnel and the safeguarding of assets and information.

Due to other audit work completed or underway, there were some scope exclusions. Accordingly, the scope focused on physical security and excluded other components of government security, including IT security, occupational health and safety, and business continuity planning. Additionally, while audit work assessed the processes and controls in place to safeguard assets, asset management practices were excluded from scope. The scope of the audit also excluded environmental assets, real property, and vehicles, as well as buildings/facilities that are not being occupied by CIRNAC / ISC employees.

Statement of Conformance

This audit conforms with the International Standards for the Professional Practice of Internal Auditing , as supported by the results of the quality assurance and improvement program.

A management control framework is in place to support the physical security function at CIRNAC / ISC and its conformance to TBS Policy on Government Security and other relevant policies, directives and standards. However, opportunities for improvement were identified in the areas of roles and responsibilities, monitoring and oversight, training and awareness, and risk management, to better position CIRNAC / ISC to counter physical threats to its employees and assets.

Recommendations

Based on observations made during the audit, the following three recommendations were developed:

• Ensuring that the approved roles and responsibilities and security requirements are implemented as expected throughout the Departments; and
• Strengthening monitoring and oversight to promote the achievement of physical security objectives and requirements.
• Formalizing and communicating the departmental methodology to support the completion of TRA s including sharing the indicators used to assess threat and risks with stakeholders; and
• Implementing a formal process to monitor TRA completion as well as the implementation of TRA recommendations.
• Reinforcing and communicating policies and procedures to promote improved communication and collaboration between labor relations and accommodations functions when performing activities involving physical security;
• Assessing regional disparities in physical security measures and confirming whether they are appropriate and risk-based; and
• Performing a review to identify prioritized security training needs and updating the departmental security training & awareness program based on the results.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

The Audit and Assurance Services Branch of Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) identified the Audit of Physical Securityin the Department's 2017-2018 to 2019-2020 Risk-Based Audit Plan (RBAP), approved by the Deputy Minister on March 13, 2017. The audit was identified as a high priority because physical security and the well-being of employees as well as the safeguarding of assets are important to the achievement of the departmental business objectives. The audit was initiated in June 2017, and audit fieldwork concluded in September 2017. This report details the results of the audit.

1.1 Context

Physical security is defined as the use of physical safeguards to prevent or delay unauthorized access to assets, to detect attempted and actual unauthorized access and to activate appropriate responses. It consists of the measures in place to reduce the risk of workplace violence and to ensure that information, assets, and facilities are protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value. Physical security also protects the people working with and within the organization. Departments must ensure that their physical security strategy incorporates identifiable elements of protection, detection, response and recovery.

A strong physical security function is essential to protect personnel and to safeguard assets and information. The management of security, including physical security, intersects with other management functions including access to information, privacy, risk management, incident and emergency management and business continuity planning, occupational health and safety, real property, materiel management, information technology (IT) and finance. Management of security also requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls involving detection, prevention, mitigation, and implementation of corrective measures.

The Treasury Board of Canada Secretariat (TBS) Policy on Government Security (PGS) ensures that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management. Footnote 1 Deputy Head responsibilities include establishing a security program for the coordination and management of departmental security activities, approving the departmental security plan, ensuring the integration of security requirements into departmental activities, and ensuring that investigations are conducted when security issues arise. Deputy Heads are also responsible for appointing a departmental security officer (DSO) to establish and direct a security program.

The PGS is supplemented by the TBS Directive on Departmental Security Management (DDSM) . The objective of the DDSM is to achieve efficient, effective and accountable management of security including roles and responsibilities at various levels within departments. Footnote 2 In accordance with PGS and DDSM , the TBS Operational Security Standard on Physical Security describes baseline physical security requirements designed for common types of threats that departments would encounter. Footnote 3

1.2 Physical Security at CIRNAC / ISC

To comply with the PGS and DDSM , CIRNAC / ISC developed its Departmental Security Plan (DSP), a three-year plan to respond to departmental security requirements, including physical security, based on a security risk assessment. The DSP provides the Deputy Minister and senior officials with prioritized risk-based strategies, objectives and timelines for improving the Department's security posture that are aligned with the strategic priorities, programs, plans and processes. The departmental Security Management Framework includes various departmental policies and procedures, which provide department-specific security guidance on how to meet the security requirements set out in the PGS .

At CIRNAC / ISC , the responsibility for the physical security function falls under the Security and Accommodations Division (SAD) (also referred to in this report as "headquarters") within the Human Resources and Workplace Services Branch. The Departments also has security resources outside SAD , which are located in each sector and region. The Regional Directors General have overall accountability for physical security at their regional offices and regional security activities are carried out by Regional Security Officers (RSO). Furthermore, each sector has a designated Sector Security Coordinator (SSC). SSC s and RSO s report functionally to the DSO .

CIRNAC / ISC operates a large decentralized network of offices, many of which are co-located with other government and non-government tenants. Maintaining appropriate control in these environments is inherently challenging and complex, particularly where CIRNAC / ISC does not control central access to the facility.

2.1 Audit Objective

The objective of the audit was to assess the adequacy and effectiveness of the management control framework in place to support the physical security function at CIRNAC / ISC as well as its compliance with the TBS Policy on Government Security and other relevant policies, directives and standards.

2.2 Audit Scope

The scope of the audit was to examine the management control framework, including the governance, risk management and internal controls in place to ensure the protection of personnel and the safeguarding of assets and information. The audit work examined the following high priority areas as determined by the risk assessment performed during the planning phase:

• Governance, including the accountabilities, roles and responsibilities of departmental employees with security responsibilities as well as the governance structures in place for the oversight and management of the physical security function;
• Risk management, including the processes in place to systematically identify, document, assess, and mitigate physical security threats and risks; and,
• Internal controls, including the policies and procedures, training and awareness, and physical controls/processes in place to protect personnel, information and assets as well as monitoring, reporting and performance measurement against departmental physical security objectives

Due to other audit work completed or underway, there were some scope exclusions. The Department's Business Continuity Plan was excluded from the scope of this audit, as an audit was conducted in 2016-2017. Also, Occupational Health and Safety was excluded from the scope since this audit is planned in fiscal year 2018-2019. Furthermore, an Audit of IT Security was being conducted in parallel to this Audit of Physical Security and has been excluded from scope.

While our audit scope focused on the governance, risk management, and internal controls in place to support the safeguarding of assets, the assessment of asset management practices was excluded from scope. Additionally, the following assets were not specifically included in the scope of the audit: environmental, real property, and vehicles. The scope of the audit also excludes buildings/facilities that are not being occupied by CIRNAC / ISC employees.

The Audit of Physical Security was planned and conducted in accordance with the Institute of Internal Auditors International Professional Practices Framework and in alignment with the TBS Policy on Internal Audit .

The audit was performed from June 2017 to October 2017 and consisted of three phases: planning, conduct and reporting. Based on information gathered during the planning phase, a risk assessment was completed to determine the most significant risks to CIRNAC / ISC physical security. Audit criteria were developed to cover areas of highest priority as determined by the risk assessment and served as the basis for developing the detailed audit program for the conduct phase of the audit. Refer to Appendix A for the audit criteria developed for this audit, which were informed by relevant policies, standards, and guidance listed in Appendix B .

The conduct phase included the completion of audit procedures at headquarters as well as in three regions (Ontario, Saskatchewan and Manitoba). Audit procedures were also conducted through teleconferencing with three additional regions (Northwest Territories, Nunavut, and British Columbia). During the conduct phase performed between August 2017 and September 2017, the audit team examined sufficient, reliable and relevant evidence to provide a reasonable level of assurance in support of the audit conclusion. The principle audit techniques used were:

• Interviews with key stakeholders
• Walk-throughs
• Physical inspections
• Documentation review
• Risk analysis

Based on a combination of evidence gathered through interviews, facility walkthroughs, observation, examination of documentation and risk analysis, each audit criterion was assessed and observations were made. Where a significant difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop relevant recommendations.

Observations and recommendations below focus on the management control framework established for physical security, including the governance, risk management and internal controls in place to ensure the protection of personnel and the safeguarding of assets and information.

5.1 Governance

Oversight structures and mechanisms are expected to be in place to ensure the effective and efficient management of physical security within a department. Footnote 4 An effective physical security governance structure requires defined, documented and communicated accountabilities, roles, responsibilities and reporting relationships. Furthermore, physical security governance mechanisms ( e.g. oversight committees) are to be established to ensure the coordination and integration of physical security activities with departmental operations, plans and priorities. Footnote 5

In alignment to the PGS , the Deputy Head has formally appointed a Departmental Security Officer (DSO) to implement the government security requirements, including physical security. The physical security governance structure is documented in the Department's Security Management Framework and its embedded documents, including the Departmental Security Policy , collectively referred to as the "Framework". The Framework is aligned to the requirements of PGS and its related Directive on Departmental Security Management.

Accountabilities, roles, and responsibilities of security practitioners are further defined in documents including, but not limited to, the DSO Handbook, RSO Terms of Reference, and the SSC roles and responsibilities document.

Additionally, the Departments has established committees that provide an oversight role over departmental security, including physical security. Specifically, there is a Departmental Security Committee, which provides advice, guidance and recommendations concerning departmental security. There are other senior management committees ( e.g. Operations Committee, Internal Affairs Committee) that are involved in oversight and decision-making related to security; however, these committees have broader mandates and are involved with matters pertaining to physical security on an ad-hoc basis. The Departments has also established a monthly teleconference call that is chaired by the DSO and attended by security practitioners from across the headquarters, sectors, and regions. The monthly call provides a forum to share important updates and discuss security related matters. 

Roles and responsibilities

Although roles and responsibilities are defined in documentation, there is an opportunity to strengthen their implementation in practice. For example, the RSO Terms of Reference contains a comprehensive listing of the various responsibilities to be carried out. However, we observed several instances where these roles are not being carried out consistently, including but not limited to, performing routine inspections ( e.g. security sweeps) to support conformance to and promote awareness of physical security requirements; and maintaining an ongoing security/awareness program.

While each region has appointed an RSO that reports functionally to the DSO , the role is generally carried out on a part-time basis as the RSO typically carries out multiple other administrative roles outside of security. The roles and responsibilities are generally being carried out on a reactive basis and there were several instances where the RSO s did not find it attainable to proactively perform all defined roles and responsibilities. For instance, interviews demonstrated that carrying out RSO responsibilities such as conducting investigations, developing security design briefs and delivering security training are challenging due to high demands from a knowledge, experience and capacity perspective.

Moreover, each sector has an SSC that supports SAD in carrying out security-related responsibilities. Unlike RSO who are directly responsible for the delivery of various physical security activities, SSC s roles and responsibilities are more focused on promoting physical security awareness and coordinating the completion of physical security activities, such as reporting identified issues/deficiencies to SAD and following up on physical security requests (access card applications, incident reports etc.). While these roles and responsibilities are documented, we observed an example where an SSC was not fully aware of the responsibilities associated with the role.

The roles and responsibilities of the RSO s and SSC s are essential to managing a system of processes and controls to protect, detect, and respond to physical security-related risks/issues facing the Department, as well as raise awareness of physical security requirements. CIRNAC / ISC 's ability to meet its physical security requirements at a department-level is dependent on regional and sectoral security personnel carrying out their defined roles and responsibilities.

Monitoring & oversight

The overall responsibility for managing the departmental physical security program falls under SAD ; however, much of the conduct of physical security activities takes place at the regional level. While the Department has established mechanisms to provide oversight for the management of physical security and to communicate security related information to relevant stakeholders, departmental monitoring processes over the implementation of physical security requirements throughout the Departments is limited and informal. For instance, information sent from regions ( e.g. incident statistics) is often not subject to headquarters monitoring and follow-up. In some cases, (discussed further in the Risk Management and Internal Controls sections), physical security requirements such as security sweeps and threat and risk assessments were not conducted at certain facilities, which may be attributable to limited oversight for these activities. 

Given the decentralized organizational structure, strong monitoring and oversight practices are essential to ensure that physical security activities are carried out in a coordinated and integrated manner across the departments and physical security controls remain current and address significant threats and risks. Specifically, strong monitoring and oversight practices would allow the Departments to identify, escalate and address exceptions where physical security requirements and responsibilities are not being met. In turn, this will promote and better enforce the implementation of individual responsibilities to carry out physical security activities across sectors and regions.

Recommendation

1. The Director General of Human Resources and Workplace Services, in consultation with the Senior Assistant Deputy Minister of Regional Operations, the Assistant Deputy Minister of Northern Affairs Organization and Regional Directors General, should strengthen the governance for physical security by:

5.2 Risk Management

Management of physical security requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls. Footnote 6 Furthermore, departments are expected to develop, document, implement and maintain processes for the systematic management of physical security risks to ensure continuous adaptation to the changing needs of the Departments and threat environment. Footnote 7 A threat and risk assessment (TRA) is an essential activity carried out to support the management of physical security risks. To guide departments in the process of conducting TRA s, the Government of Canada has endorsed the Harmonized Threat and Risk Assessment (HTRA) Methodology . Footnote 8

Through the TRA process, threats and risks are identified and assessed for a specific location. Based on the results of the assessment, recommendations may be made to provide additional safeguards or modify existing safeguards in order to achieve an acceptable level of residual risk.

Departmental methodology

The development of TRA s may be either contracted to external security firms or conducted in-house by security practitioners within SAD . As per CIRNAC / ISC 's Security Management Framework, the HTRA Methodology is to be adopted and consistently applied when developing TRA s for departmental facilities, including for the identification of assets and threats. While SAD has established a methodology for conducting TRA s, it is not aligned to the HTRA and has not been formally approved. Additionally, the methodology and criteria for assessment are not openly shared with relevant stakeholders, such as those responsible for making decisions on whether to accept or reject TRA recommendations ( e.g. regional management).

Attaining senior management buy-in will strengthen the overall credibility of the TRA activity and reinforce the risk management of physical security. With improved transparency, relevant stakeholders will be made aware and fully confident in the process used to reach findings and recommendations.

Monitoring and follow-up

Departmental guidance on when to perform or update a TRA is not well established or communicated. Stakeholders, including regional management and headquarters security practitioners, were not aware of a defined policy statement or guidance on the conditions that should trigger the performance of a new TRA or an update to an existing TRA . In the absence of a well-communicated policy statement, it was unclear to stakeholders whether TRA s should be performed or updated on a regular and defined basis ( e.g. every five years), as a result of emerging threats and risks identified at a regional or national level, or as a result of material changes to the physical work environment.

Additionally, monitoring is not being performed by headquarters on the completion of TRA s. Some CIRNAC / ISC facilities have undergone multiple TRA s, while certain other facilities have not been subject to a TRA at all.

Moreover, there is no formalized process for headquarters to follow up on the implementation of recommendations from TRA s performed internally or externally.  We observed instances where TRA recommendations were not tracked to resolution.

As per CIRNAC / ISC 's Security Management Framework, action plans are to be created and approved when a TRA report recommends implementing safeguards to mitigate residual risk to an acceptable level. However, at the regional level, there were instances where recommendations were not implemented and there was no supporting action plan or risk acceptance document in place.

While we did observe strong regionally-driven follow-up practices in two regions, whereby action plans for TRA recommendations were established with targeted timelines, assigned accountabilities and active monitoring (including examples of active engagement with SAD ), a formal monitoring and oversight process for TRA s has not been established for the entire Departments.

By not proactively monitoring and following up on TRA s, the Departments are not able to ensure that physical security risks are being managed continuously and effectively throughout the Departments. For instance, proactive monitoring can ensure that TRA s are conducted as needed and TRA recommendations are actioned in a timely and effective manner. Furthermore, through effective management and oversight of the TRA activity, CIRNAC / ISC will be better positioned to identify and mitigate pervasive gaps and vulnerabilities that could exist across the Departments.

2. The Director General of Human Resources and Workplace Services should strengthen the risk management of physical security by:

• Formalizing and communicating the departmental methodology to support the completion of TRA s including sharing the indicators used to assess threats and risks with stakeholders; and
• Implementing a formal process to monitor TRA completion in a timely manner as well as the implementation of TRA recommendations.

5.3 Internal Controls

The minimum physical security control objectives that a department must achieve to ensure its mandate and security requirements are met are established within the DDSM and are elaborated upon further in the TBS Operational Security Standard on Physical Security . Footnote 9 Physical security controls include those that are based on preventative measures, detection and response, and must be adapted to mitigate a department's specific threats, risks and vulnerabilities (as discussed in the Risk Management section). Footnote 10

All CIRNAC / ISC employees have roles in effectively implementing physical security controls. As mentioned previously, it is the responsibility of headquarters to monitor physical security controls across the Departments to ensure they remain effective in addressing the current physical security requirements as well as department-specific risks identified in risk assessments. Footnote 11 The government's approach to physical security is based on the premise that the design of facilities and physical security safeguards should create conditions that would reduce the risk of violence to employees, protect against unauthorized access, detect attempted or actual unauthorized access and activate an effective response. Footnote 12

However, at various CIRNAC / ISC facilities, installation of physical security measures must be approved by the landlord or the property manager ( e.g. Public Services and Procurement Canada, Brookfield Global Integrated Solutions), and can involve Shared Services Canada in some instances. As such, CIRNAC / ISC does not always have full control over the installation of physical security measures and it was noted that third party dependencies have caused delays or prevented installation in some instances.

Training & awareness

Appropriate and up-to-date training activities reduce the risk that physical security is inadvertently compromised by enabling employees to have the necessary knowledge and competencies to effectively perform their physical security responsibilities. Additionally, a departmental security awareness program helps ensure that employees at all levels are informed and regularly reminded of security issues and their security related responsibilities. Footnote 13

CIRNAC / ISC has established a departmental security awareness program that covers physical security. For example, there is an annual security awareness week, whereby security tips and materials are emailed to all CIRNAC / ISC employees. Furthermore, security training material as well as indications that training is delivered to new RSO s exists. Security awareness training is also provided to new employees.

While there are training activities being delivered, there are opportunities to improve. For example, several RSO s expressed the desire for more training opportunities that would allow them to be better equipped to fulfill the broad array of responsibilities ( e.g. conducting investigations, delivering regional security training activities) encompassed within managing the regional security activities. Training is essential for ensuring that security practitioners have the necessary knowledge and competencies to not only carry out their specific security related roles and responsibilities but to also transfer knowledge and promote awareness to all employees.

Additionally, staff members in regions often do not receive adequate training on physical security beyond the security briefing received when they first joined CIRNAC / ISC . Examples of job-specific training that could be provided include security training on how to deal with conflict situations involving public interactions as well as how to identify and avoid potentially dangerous situations while travelling. Training should be made available to employees who are exposed to duties and situations by which workplace violence could arise. Footnote 14

Physical security is required to be fully integrated into the processes of planning and designing facilities. Footnote 15 To meet this requirement, CIRNAC / ISC 's Security Management Framework specifies that security personnel are to be involved in the development of security design briefs, which is a document that aims to ensure that security considerations and requirements are factored into the planning and design phases for new facilities or renovations to existing facilities. However, instances where the security team was not involved in the planning and design of new facilities or facilities being retrofitted were identified.

While baseline physical security controls were generally observed to be in place at the regions visited, there were several instances of regional disparity in security measures and for which rationale was not known or documented. The following are examples:

• Configuration and safeguards for Registration Offices . Security measures provided for Registration Offices varied from facility-to-facility, including one facility that had no evacuation route to secure space, as well as no plexiglass or panic button in place to mitigate the threat of a hostile client. Additionally, Registration Offices in some regions are outside of the operational zones.
• Safeguards for delivery of treaty payments . Security measures in place for delivering treaty payments varied across regions. Specifically, we noted some regions with limited security measures ( e.g. no security escort), which could increase the risk exposure for regional employees.
• Dedication to security roles. Some regions have created or are in the process of creating full-time positions for security roles, while other regions have these roles ( e.g. RSO , Deputy RSO ) performed part-time.
• Visitor access controls. Some facilities did not have processes in place for visitor sign-in, including having visitors verify their identity and sign a visitor log book. Additionally, visitors are not always provided with a visitor ID badge to identify themselves as an approved visitor to the facility.
• Presence of commissionaires at facilities. Commissionaires are posted at some, but not all CIRNAC / ISC premises, to monitor the control of access within the facility.

While there is no expectation to have a "one size fits all" approach to security across the Departments, there is an expectation that security measures will be commensurate to the level of threats and risks identified. Rationale for disparities in security measures were not always provided or known by interviewees. Furthermore, there was a general expectation of staff interviewed that their office should have similar levels of security as other regional offices. It is essential to leverage the departmental risk management process ( i.e. TRA s) to analyze identified threats and risks and ensure that physical security controls and measures are implemented according to the level of risk identified. Taking a risk-based approach will help to ensure that management is addressing their physical security needs on a prioritized basis.

Detection and response

Detection and response are important components in ensuring an active defence strategy against physical security threats, vulnerabilities and incidents. One process employed by the Departments to detect non-compliance with physical security requirements (as well as promote physical security awareness) is security sweeps of facilities, which are governed by the Departmental Physical Security Inspection Procedures and required to be conducted on a routine basis by the Directive on Departmental Security Management. Footnote 16 While the documented departmental procedures were considered to be sound, issues related to the frequency, assigned responsibilities and documentation of security sweeps were observed.

There were several instances where security sweeps were not being regularly performed at facilities. Furthermore, sweeps were generally carried out by employees with security roles ( e.g. RSO s, headquarters security practitioners); however, there was one observed instance where the task was informally assigned to administrative staff and there were no documented results. Additionally, some sites visited had documented sweep statistics such as the amount and percentage of unsatisfactory results by function, while other sites visited did not have any documented sweep statistics. The Departmental Physical Security Inspection Procedures requires that sweep statistics ( e.g. number of annual notices, most common deficiencies) be collected and reported to security personnel, and used to track long-term patterns.

When security sweeps are not carried out, instances and trends of physical security breaches may go unnoticed for a prolonged period, at both a regional and national level.

Another detection and reporting control employed by CIRNAC / ISC is the Security Services Information System (SSIS). Footnote 17 SSIS is the primary mechanism used to monitor and report on physical security activities across the departments ( e.g. number of incidents in regions/sectors), however, it was noted by headquarters security practitioners that monitoring is generally not performed on the information uploaded to the system. Furthermore, there was a lack of clarity among regional stakeholders on how the information reported in SSIS was used by headquarters for monitoring and decision-making.

We also observed inconsistent practices in the data entry for SSIS . For instance, one region entered security incidents in infrequent batches as time permitted, and it was also noted by headquarters staff that regions did not always upload their incidents within the required timeframe ( i.e. every 3 months). Additionally, we observed that the locking devices module (which tracks the departmental inventory of keys, alarms, secure telephones etc.) was limited in implementation ( i.e. information not uploaded from regions), and not actively monitored and kept up-to-date.

If there are not consistent practices for uploading and monitoring information in SSIS , the reliability of the system as a central repository for monitoring and reporting on physical security activities may be impacted due to incomplete or inaccurate information.

In alignment with the DDSM , CIRNAC / ISC has established procedures for conducting administrative investigations into security incidents; however, we were informed of issues related to the implementation of these procedures. Footnote 18 While there are standard operating procedures specifying how security personnel should be informed of and involved in investigations, it was found that security is not always informed of and fully involved in administrative investigations (both at a regional and national level), including those carried out by Labour Relations.

It is important that there be communication and collaboration with security personnel in investigations so that security input can be leveraged for various activities ( e.g. gathering evidence, conducting interviews, closing files) and security-specific responsibilities such as deactivating access cards and retrieving departmental assets for suspended or terminated employees can be fulfilled.

3. The Director General of Human Resources and Workplace Services, in consultation with the Senior Assistant Deputy Minister of Regional Operations, the Assistant Deputy Minister of Northern Affairs Organization and Regional Directors General, should strengthen physical security internal controls by:

• Reviewing, updating and communicating policies and procedures to promote improved communication and collaboration between Labor Relations and Accommodations functions when performing activities involving Physical Security;

To acquire an appropriate level of assurance to meet the audit objective, the following audit criteria were developed.

Audit Criteria and Control Objectives

1. governance.

1.1 Accountabilities, roles and responsibilities of departmental employees with physical security responsibilities are defined, documented and formally communicated to relevant persons.

1.2 An organization structure for physical security has been established and operates in alignment with departmental operations, plans and priorities.

1.3 An oversight function has been established to ensure the coordination and integration of security activities with departmental operations, plans and priorities and to measure outcomes.

2. Risk Management

2.1 The Departments has documented and implemented approaches to risk management of physical security, which include processes for risk identification, assessment, response, communication and monitoring.

3. Internal Controls

3.1 Policies and procedures have been established to support the delivery of the Department’s physical security requirements.

3.2 A departmental security training & awareness program covering physical security is established, to ensure that individuals are informed and regularly reminded of security issues and concerns, as well as trained to discharge their security responsibilities.

3.3 Information, assets and facilities are protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value.

3.4 Management employs a systematic and consistent approach to planning, monitoring and reporting physical security activities and results.

3.5 An incident management process is in place to detect, respond and report on physical security incidents.

The following authoritative sources were examined and used as a basis for this audit:

• ASIS International publications (including Effective Physical Security, 4th Edition)
• ISACA COBIT Delivery and Support (DS) 12: Manage the Physical Environment
• Treasury Board Directive on Departmental Security Management (DDSM)
• Treasury Board Operational Security Standards on Physical Security
• Treasury Board Policy on Internal Audit
• Treasury Board Management Accountability Framework (MAF)
• Treasury Board Policy on Government Security (PGS)
• Treasury Board Standard on Security Screening
• RCMP Guidelines and Tools [including, but not limited to, Harmonized Threat and Risk Assessment (TRA) Methodology; Preparation of Security Briefs; Control of Access; and Protection, Detection, Response]

Key CIRNAC / ISC policies, plans and directives examined during the audit included:

• Security Management Framework
• Departmental Security Policy
• Departmental Physical Security Inspections Procedure
• Departmental Security Plan
• Directive on the Application of Administrative Measures Following Security Violations
• Standard Operating Procedures - Administrative Investigations

Did you find what you were looking for?

If not, tell us why:

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details). Maximum 300 characters

Thank you for your feedback

• Fri. May 3rd, 2024

51 Security

Learning, Sharing, Creating

• Recent Posts

Table of Contents

Harmonized Threat and Risk Assessment (TRA) Methodology ( CSE-RCMP)

Harmonized TRA Methodology (TRA-1)

• TRA -1 -   Tool
• TRA -1 -   A-5: Sample Statement of Work for TRA Consulting Services
• TRA -1 -   A-6: Sample TRA Work Plan
• TRA -1 -   B-2: Asset Listing
• TRA -1 -   B-5: Asset Valuation Table / Statement of Sensitivity
• TRA -1 -   C-2: Threat Listing
• TRA -1 -   C-4: Threat Assessment Table
• TRA -1 -   D-2: Vulnerability Listing
• TRA -1 -   D-4: Vulnerability Assessment Table
• TRA -1 -   E-2: List of Assessed Residual Risks
• TRA -1 -   F-2: Safeguard Listing
• TRA -1 -   F-5: Recommendations Table
• TRA -1 -   F-6: Outline TRA Report)
• TRA -1 -   G-1: TRA Worksheet

https://cyber.gc.ca/en/guidance/harmonized-tra-methodology-tra-1

Harmonized Threat and Risk Assessment

RiskView H-TRA solution automates the Government of  Canada Harmonized Threat and Risk Assessment model  and helps organizations identify, evaluate, prioritize, and report risks. The model is summarized in the above depiction and explained below. While the solution is dynamic and allows the user to start anywhere, it follows a five step process as outlined below.

1. Identify Assets

Identify Assets (e.g. data, equipment, buildings) and assign a value based on their confidentiality and their impact in terms of financial, legal, privacy, or possible injury to people. Assets are assigned a value from Very Low (1) to Very High (5) based on a threshold that can be changed for an industry or an organization depending on their risk appetite.

2. Identify Threats

Threats to an organization can be external, internal, competitors, foreign governments, natural, or other. The more you identify and list such threat the better the result of your TRA. Each threat is assigned a value based on the likelihood and impact of the threat.

3. Identify Vulnerabilities

The third step and the most labor intensive step is the vulnerability assessment for each asset, where each vulnerability is assigned a value based on its likelihood and impact. There are many methodologies for identifying vulnerabilities and ranking them. For example, you may use RiskView’s methodology for identifying IT network and application security vulnerabilities as depicted below.

4. Calculate Residual Risks

The last step is to calculate the residual risk. The risk calculation and conversion is based on the following formula. The tool helps with the automated calculation of the residual risks:  Residual Risk Value = Asset Value [1..5] * Threat Risk [1..5] * Vulnerability Residual Risk [1..5]

5. Monitor and Report

Report and Monitor findings. The tool allows for either pre-made PDF reports, or fully customized company Word documents.

https://www.h-tra.ca/

Share this:

Ottawa Valley SAGE

Providing a forum since 1998.

Apr 28, 2010 - 2 minute read - Comments

HTRA Training available...

Comprehensive risk management, education and awareness through “the harmonized threat risk assessment methodology”.

Join the High Tech Crime and Investigation Association (HTCIA) Ottawa Chapter, Thursday, May 27, 2010, for a one day training event on the subject of the Harmonized Threat Risk Assessment (HTRA) Methodology. This session is geared towards those who are interested in understanding the methodology used by today’s Security Experts when conducting Threat Risk Assessments. Following the organization of the Harmonized TRA Methodology:

• Introduction;
• Preparation Phase;
• Asset Identification and Valuation;
• Threat Assessment;
• Vulnerability Assessment;
• Calculation of Residual Risk;
• Recommendations; and

Each of the key areas will be addressed at an introductory level providing workshop attendees the understanding of how the HTRA process works. For those attendees looking for a full “how to” program, details on a full four day technical course will be made available during the workshop.

Since the unification of Threat Risk Assessment methodologies (October 29, 2007), through a joint working group of the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP) and the parallel User Focus Group the Harmonized Threat Risk Assessment (HTRA) Methodology has become the unified Canadian Standard for the assessment of threat and risk.

Familiarity and understanding of the HTRA Methodology will provide both security professionals and the general public the knowledge, skills and confidence to apply the HTRA principles, regardless of profession, in their everyday life.

Important Note: This training is not generally available to the private sector. Take advantage of this unique opportunity to gain greater familiarity with the HTRA. This very informative training session will be moderated by none other than Mr. John Clayton who was the co-chair of the joint CSE-RCMP working group responsible for the development of the HTRA Methodology!

For further information , please visit the registration page . Seating is limited to 100 people.

This event is available to both members and non-members.

• Richter app – log in
• Insolvency cases

Threat and Risk Assessments

The challenge.

The cyber threat landscape is constantly changing and evolving. Risks to your organization can come from cyber criminals, hacktivists, state-sponsored actors, and malicious insiders.

Your systems, applications, and networks are constantly being probed by such groups looking for potential weaknesses or gaps in your security posture. What plan do you have to identify and manage these risks before an attacker exploits them? Consider conducting a Threat and Risk Assessment (TRA).

WHAT IS A THREAT AND RISK ASSESSMENT?

A Threat and Risk Assessment (TRA) is designed to be a foundational aspect of an organization’s risk management program. A TRA consists of the following steps:

• Identifying and assigning values to critical assets
• Identifying threats relevant to the identified assets
• Assessing the likelihood and impact of any identified vulnerabilities
• Evaluating the overall risk to the identified assets
• Recommending safeguards to reduce the overall risk

A TRA aims to help you better identify, assess, and manage your information security risks at an enterprise level.

• Evaluates current policies, procedures, and processes for potential gaps
• Identifies opportunities for improvement
• Educates organizational leaders on emerging threats and trends
• Supports strategic planning activities
• Enhances risk response capabilities and operational resilience
• Promotes and communicates risk ownership

HOW WE CAN HELP

Richter’s TRA approach leverages a customized version of the Harmonized Threat and Risk Assessment (HTRA) methodology developed by the Royal Canadian Mounted Police (RCMP) and Communications Security Establishment (CSE).

We work with both business and technical stakeholders to understand your environment, the business impact of any incidents that may impact your environment’s confidentiality, integrity or availability, and the presence (or lack thereof) of any controls/safeguards you have in place.

From there, we provide tailored recommendations to your organization’s size, scope, and maturity to manage any identified risks effectively.

Our key experts

Raymond Vankrimpen

David Greenham