Passport Canada
 
 Français  Contact Us  Help  Search  Canada Site
 Home  Printable
 Forms		  Service
 Locations		  FAQ  DFAIT
 Site Map
Satisfaction Survey
Proactive disclosure
 

Audit report

Security

June 2000

Context

The Passport Office is responsible for protecting sensitive information and goods under its authority. The information must be classified and designated taking into account the provisions for adequate exceptions of the Access to Information Act and the Privacy Act. The material goods and those appropriate to information technologies must be classified and specifically designated according to their confidentiality, integrity, availability and value. Information and sensitive goods must be protected according to minimal standards, and related risk and threat assessment.

The Passport Office is responsible for the implementation of the security policy and must conduct an internal audit, at least every five years, on its compliance with the policy and its efficiency in implementing it. This audit is conducted within the framework of Treasury Board Secretariat's requirements in this respect.

At the Passport Office, the Director of Security, Policy and Entitlement is responsible for all matters related to security. The Director was also appointed Departmental Security Officer to represent the Passport Office to Treasury Board Secretariat on all issues dealing with the Government Security Policy and the operational standards. The Departmental Security Officer is responsible of all security issues arising from the passport issuance activity. The Security, Policy and Entitlement is responsible for developing, implementing, maintaining, coordinating, and controlling the security program.

Under Security, Policy and Entitlement Directorate, the Security and Entitlement Review Section is responsible for the functions related to the management of security, physical security and personnel security.

The scope of the audit included the following areas: the organisation of security, the management of security, physical security and personnel security. Excluded from the audit were the security of information technologies, the security and management of emergency cases, as well as the security management of contracting out services.

The Passport Office has in place a policy on security (Administrative Practices Manual). The Security and Entitlement Review Section is responsible for updating the security policy and procedures.

Objective

The objective of the audit was to ensure the compliance of all sensitive information and goods with the Government Security Policy and with the operational standards and the efficiency and effectiveness of the Security Program of the Passport Office.

Audit standard assurance level and criteria

The audit was carried out in accordance with the requirements of the Internal Auditing Standards for the Government of Canada and designated for a high level of assurance. Procedures such as inspection, observation, inquiry, confirmation, computation, analysis and discussion were considered necessary to achieve the audit objective. The criteria used for the audit were:

  • the structure of security management at the Passport Office for the overall program of security, in particular management of security, physical security, and personnel security;
  • the security education and training programs, the classification and designation of sensitive information and goods, the declassification or disposal of such goods, the measures of protection of sensitive information and goods, the breaches and violations of security and other security-related incidents, the protection measures taken for external communications;
  • the location and layout of installations, the identification and the application of protection measures in the installations, the examination and control of physical security measures;
  • the personnel security investigations, the authorisation, refusal or revocation of security levels, the measures required at employees' termination of employment.

Audit results

The current structure makes the Security Administrator responsible for the strategic aspects of security and clearly defines the incumbent's obligation to assume these responsibilities in accordance with the agreed upon expectations. Final power and authority are however shared with those who are responsible for program delivery. The Passport Office should ensure that the processes and structures that are in place cover responsibilities and authorities for the development and implementation of security policies and that programs are clearly defined and assigned. Vertical and horizontal responsibilities must be specified.

Presently, security interventions respond to isolated events while the development, follow-up and respect of security rules are determined according to established priorities. The resources allocated to the Security Program do not meet the requirements of an efficient security program.

The threat and risk assessment is not up to date.

The Passport Office has established a security policy along the lines of the Treasury Board Secretariat policy on security. The Passport Office policy on security must be updated to reflect actual needs in terms of staff security, and the physical security of sensitive information and materials.

The guidelines dealing with physical security are not adapted to current construction standards. An official inspection process for ongoing projects should ensure that security measures are respected. The office lay-out in passport offices is of questionable value where ergonomic principles and the security of the employees exposed to the public are concerned.

Security regulations are informally transmitted and security is described as repeated or isolated events where corrective action is taken. There is no education or awareness program in place.

Conclusion

Based on the audit findings, we can conclude that improvement to the actual management control framework will ensure efficiency and effectiveness of the security program of the Passport Office.

Recommendation

Provide sufficient level of financing to ensure an operational level to the security function of the Passport Office.

Management response

Management agrees with the conclusion. An action plan will be prepared.


  Updated: 2006-05-05 Top of page Important Notices