MAF 2021 to 2022 Security Management Methodology
On this page
Methodology overview
The Government of Canada (GC) needs to provide assurance to Canadians, partners, oversight bodies and other stakeholders related to the management of government security, and, in particular, respecting Canadians ongoing expectations that government will protect their sensitive and personal information, while effectively delivering trusted services to the public. The extent to which government can ensure its security posture directly affects its ability to continue delivery of trusted programs and services that contribute to the health, safety, economic well-being and security of Canadians. In this context, the Policy on Government Security (PGS) is the key policy framework used by TBS to ensure an integrated and holistic approach to mature Security management for the GC.
The 2021-2022 Security Area of Management (AOM), Management Accountability Framework (MAF) Methodology is aligned with and supports the strategic outcomes outlined in the PGS and will continue to focus on: 1) Effective security planning and reporting; 2) Trusted workforce and partners; 3) Preparedness and effective response to events; 4) Trusted information systems and processes.
In addition, the methodology takes into consideration the extraordinary circumstances related to COVID-19 and remote working, while balancing the requirements established under the renewed PGS. MAF is the main data collection tool available to the Security AoM to help ensure that federal departments and agencies attain a mature state of Security management. It also helps ensure that the expectations related to the implementation of Treasury Board policy and related management practices with respect to security controls are met, including, departmental security plans, security screening, security in contracts and other arrangements, security awareness and training, business continuity management, information management security, information technology security, physical security and security event management.
Use of MAF Results
The 2021-22 MAF results will provide information to the three key audiences listed below.
Deputy Heads
- An integrated view of the extent to which the organization meets expected results for its Security management;
- Potential areas for improvement and responsive actions which may be required to ensure Security risks to the department and possibly the GC are continuously monitored; and
- Where policy implementation challenges exist, provide an opportunity to course-correct or reprioritize activities, on an as needed basis.
Chief Security Officer (CSO) community:
- Current state of departmental security controls and management practices;
- Benchmarks and comparative results;
- Leading practices to inform and advance departmental guides, procedures and tools; and,
- Identification of common security needs to drive collective action to further strengthen departmental, and, by extension, GC security management.
Treasury Board of Canada Secretariat:
- The level of policy compliance with the PGS and related maturity level of organizations;
- Government-wide risks and possible systemic issues;
- Leading practices to inform and advance GC wide guides, procedures and tools; and
- Baseline government-wide performance data and trends analysis to inform decision making and future policy and tools development and/or refinement.
Period of assessment
While the period of assessment for each indicator may vary depending on the information required, the overall timeframe for this year’s assessment falls within the November 1, 2020 to October 31, 2021 range, allowing for the submission of the most up-to-date information possible.
Also, of note, TBS may refer to internal or external evaluations and audits (including Office of the Auditor General), the Application Portfolio Management process and associated Clarity tool, Lead Security Agency/Internal Enterprise Service Organization data, as well as other relevant information to support the MAF Security area of management assessment and reporting.
Impact on Departments
| Security Management | 2020-21 | 2021-22 |
|---|---|---|
| Total number of questions | 6 (due to Covid-19) | 13 |
| Total number of questions which require the submission of evidence | 5 | 12 |
- Three questions remain from MAF 2020-21 (Q1, Q5, Q9)
- BCP indicator was preserved and represents the only Security AoM indicator for which TBS will respond as part of the assessment
- All new questions are for the department to answer
Overall outcomes
The methodology will generate insights into a department’s or agency’s security planning maturity, security control framework and security management practices that contribute to strengthening the overall security posture of the GC. This information is important for validating and informing security management decisions and direction, observing trends and changes, identifying areas of strength and areas that need attention, as well as the sharing of leading security management practices.
MAF 2021-22 AoM Questionnaire
Question #1 preserved-modified (Q6 in 2020-21)
Did the department or agency report to the deputy head or senior executive committee on the effectiveness of the existing Departmental Security Plan (DSP)?
Note: In this context, it is expected that the senior executive committee is one chaired at the deputy head level.
- Yes
- No
Rationale
Annual reporting of the progress in achieving the priorities defined in the department’s Security plan and supports the organization and the deputy head in responding to implementation challenges and provides the opportunity to course-correct or re-prioritize activities as needed.
Category
- Policy compliance
- Performance
- Other
Target
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: DSP progress report, briefing materials, or Senior Executive Committee Record of Decisions covering all areas of departmental security activities for fiscal year 2020-21, as well as the overall effectiveness of the plan, with evidence that the progress report was submitted to the deputy head.
Document limit: 2
Period of assessment: November 1, 2020 – October 31, 2021
Other TBS use only new
Government Wide Average:
Will this indicator be used in the determination of the Government Wide Average?
Yes
Year over Year Analysis:
Can the indicator be used in a year over year analysis?
Yes
Departmental Results Framework (DRF)
Is this indicator used in the TBS DRF?
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #2 new
Did the department or agency develop/implement an updated Departmental Security Plan (DSP) reflective of and contributing to government-wide security priorities, using the new DSP template, and which addresses the security controls as defined within the 2019 Policy on Government Security (PGS)?
- Yes
- No
Rationale
The new DSP template was developed and released in April 2021 to align to the new PGS, its eight Security Controls and respective Mandatory Procedures. The transitional consideration expressed in the revised PGS related to subsection 1.3.1 will expire for any remaining applicable organizations on June 30th, 2022. The DSP remains a key strategic and operational resource to assist organizations in identifying key Security priorities, risks, mitigation strategies and performance measures pertinent to their unique mandate and context. At the same time, the standardized approach of the new template will provide TBS with comparable information, GC/Enterprise wide, relative to the eight security controls set out in the PGS. Furthermore, a DSP details the decisions for managing security risks in an integrated manner, improving departmental security and supporting its implementation. The extent to which activities are aligned with policy supports its effectiveness, a department or agency’s likelihood of achieving its objectives and contributes to the broader policy objectives of managing government security in support of the trusted delivery of GC programs and services, the protection of information, individuals and assets, and provides assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the GC.
Category
- Policy compliance
- Performance
- Other
Target
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence:Current Deputy Head approved Departmental Security Plan
Document limit: 1
Period of assessment: November 1, 2020 – October 31, 2021
Other TBS use only new
Government Wide Average:
Will this indicator be used in the determination of the Government Wide Average?
Yes
Year over Year Analysis:
Can the indicator be used in a year over year analysis?
Yes
Departmental Results Framework (DRF)
Is this indicator used in the TBS DRF?
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #3 new
Does your department or agency include the Canada School of Public Service (CSPS) A230 online Security Awareness course as a mandatory requirement of the organization’s security awareness activities or program, or, does your organization have a Departmental approved alternative in place?
- Yes
- No
Rationale
As the Employer, one of the goals of the Government of Canada is to ensure that all employees receive common baseline security awareness information, initially and on an on-going basis. This core knowledge is important in a working environment where there is high mobility of employees. As part of the requirement for the majority of employees to work remotely due to public health requirements related to the COVID-19 pandemic since mid-March 2020, the importance of ensuring employees are aware of their security responsibilities, whether working in their designated workplace or from an alternate location, continues to be critical for ensuring the protection of GC information and assets for the trusted and secure delivery of services to Canadians. Ensuring employees understand their security responsibilities as it relates to their respective security status level, helps minimize risks inherent to working with sensitive information away from the designated workplace. In addition, the GC is committed to optimizing investments, such as foundational learning and related services provided by common service providers.
Category
- Policy compliance
- Performance
- Other
Target
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Organizations will need to provide two of three pieces of evidence required to receive a pass (note: appropriate senior management endorsement must be provided in at least one piece of evidence submitted to TBS):
- Copy of the organization’s core security awareness curriculum (Briefing, Handbook, Deck) that includes A230 as a mandatory requirement or;
- Operational Policy or procedural document that incudes A230 as a mandatory training requirement, or;
- Briefing Note approved by DH/Executive Committee establishing the A230 course as mandatory or identifying the Departmental approved alternative
Document limit: 3
Period of assessment: November 1, 2020 – October 31, 2021
Other TBS use only new
Government Wide Average:
Will this indicator be used in the determination of the Government Wide Average?
No
Year over Year Analysis:
Can the indicator be used in a year over year analysis?
Yes
Departmental Results Framework (DRF)
Is this indicator used in the TBS DRF?
No
Reference materials
Treasury Board policy reference or Government of Canada priority
- Directive on Security Management – Appendix H: Mandatory Procedures for Security Awareness and Training
Question #4 new
Has the department or agency established a department-wide process to monitor and ensure a coordinated response to, and reporting of, department-specific threats, vulnerabilities, security incidents and other security events.
- Yes
- No
Rationale
Departments or agencies are required to define, document and maintain departmental security event management practices. CSOs are responsible for overseeing the establishment of department-wide processes to assess and document actions taken regarding residual security event management risks for the department’s programs and services and their supporting resources. Processes must include the identification of actions to address deficiencies.
Departments and agencies are required to inform TBS all security incidents and other security events of significance and must report by email on a cyclical basis or on request, for the purposes of government-wide policy monitoring.
Departments and agencies must also report any material privacy breaches to both the Office of the Privacy Commissioner of Canada and Treasury Board of Canada Secretariat.
Category
- Policy compliance
- Performance
- Other
Target
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Operational plan or process document outlining the department-wide process.
Document limit: 3
Period of assessment: November 1, 2020 – October 31, 2021
Other TBS use only new
Government Wide Average:
Will this indicator be used in the determination of the Government Wide Average?
Yes
Year over Year Analysis:
Can the indicator be used in a year over year analysis?
Yes
Departmental Results Framework (DRF)
Is this indicator used in the TBS DRF?
No
Reference materials
Treasury Board policy reference or Government of Canada priority
- Directive on Security Management – Appendix G: Mandatory Procedures for Security Event Management Control (G.2.2.2)
Question #5 preserved (Q3 in 2020-21)
What is the percentage of the department’s or agency’s external services and internal enterprise services that have an up to date business impact analysis (BIA)?
Rationale
Organizations are expected to define business continuity management (BCM) requirements for all their services and related activities supporting continued availability of services and associated assets that are critical to the health, safety, security or economic well-being of Canadians, or, to the effective functioning of government. A BIA defines these departmental BCM requirements and it is expected that a BIA be conducted on all departmental internal enterprise services and external services. Critical Services are identified after the completion of a BIA (as set out in the PGS).
A BIA also provides departments and agencies the capability to identify their risk environment which leads to the identification of departmental critical services and associated continuity strategies.
As part of the GC Service Inventory, organizations are expected to identify departmental Critical Services within their departmental Service Inventory, having conducted BIAs on each of their departmental internal enterprise services and external services to make the determination.
As a result of COVID-19, the risk environment has been altered and an evergreen list of Critical Services will help facilitate and inform decision-making and resource allocation for managing significant events impacting the delivery of critical services to Canadians now and in the future. Responses will help assess the extent to which organizations have recently completed a BIA, aligned to the department’s or agency’s BCM operational policy or directive and have identified an updated list of their departmental critical services to reflect the change in the risk environment.
The point of reference to determine whether the BIA is up to date is whether it was updated within three years of the MAF extraction date, or otherwise outlined in the departmental BCM policy/directive. Please note that it is a best practice to review/update all departmental BIAs in light of the COVID-19 pandemic context.
Category
- Policy compliance
- Performance
- Other
Target
100%
Calculation method (where applicable)
(Total number of departmental internal enterprise services and external services with updated BIA / total number of internal enterprise services and external services) x 100
Evidence source and document limit
TBS to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: GC Service Inventory or MAF Portal
Date of data extraction: Day following the date of MAF submission deadline.
Data collection method: Documentary evidence
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Evidence: The extracted excel template of the Service Inventory with the critical services fields included. The Service Inventory call-out to deputy heads includes instructions on submitting critical services information to TBS following the deadline for its submission. If the department’s critical services are not identified within the Service Inventory, please provide evidence through the MAF portal that includes a list of the department’s internal enterprise and external services and date of which a BIA associated with each service was last updated. If the departmental BCM policy/directive outlines a BIA review cycle of more than three years, please include the departmental reference as evidence to justify the BIA is up to date according to its established cycle.
Document limit: Up to three documents
Period of assessment: March 2021 – Service Inventory deadline (November 15, 2021)
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #6 new
Did the department include all its critical services, as identified through the BIA process as defined in question 5, within the GC Service Inventory?
- Yes
- No
Rationale
It is a PGS requirement that departments provide information to TBS, on a regular basis or when requested, regarding the department’s identified critical services. As part of the GC Service Inventory exercise, and as a requirement of the Policy on Service and Digital, organizations are expected to identify all departmental services, including critical services within their departmental Service Inventory.
Historically, critical services have been identified and compiled separate from the GC Service Inventory exercise as the policy requirement to develop and annually update a departmental service inventory only came into effect in 2014, post-dating the requirement to develop and maintain a list of critical services as outlined in the PGS.
An integrated list of critical services within the Service Inventory ensures there is one trusted source of Government of Canada services information, which acts as a vital source of intelligence when preparing for and responding to significant events.
Departments benefit from having a reduction in reporting burden through a streamlined approach to collecting data on services, as well as a departmental view of their service information which will enable strengthened service management and business continuity management.
Category
- Policy compliance
- Performance
- Other
Target
Yes
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: GC Service Inventory
Date of data extraction: Day following the date of the MAF submission deadline.
Data collection method: Documentary evidence
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Evidence: The extracted excel template of the Service Inventory with the critical services fields included.
The Service Inventory call-out to deputy heads includes instructions on submitting critical services information to TBS following the deadline for its submission.
Document limit: N/A
Period of assessment: March 2021 – Service Inventory deadline (November 15, 2021)
Other TBS use only new
Government Wide Average:
Will this indicator be used in the determination of the Government Wide Average?
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #7 new
Has the department provided guidance on requirements to ensure the safeguarding of the physical assets, equipment and/or information for the remote work environment?
- Yes
- No
Rationale
The PGS requires departments to ensure the safeguarding of the Government of Canada’s physical assets, equipment, and information within a physical working environment/facility.
Due to the COVID 19 pandemic, departments and agencies have had to switch working environments to remote work, for the most part. This has significantly changed the risk environment for the Government of Canada and its employees. To mitigate some of those risks, the GC (TBS Security, TBS OCHRO, RCMP, PCO) has developed, implemented, and provided advice and guidance to departments on considerations for a secure remote working environment. Footnote 1
Responses will help TBS assess the extent to which organizations have been able to implement this guidance and mitigate the risks with respect to the new remote work environment and ensure effective safeguarding of the GC’s physical assets, equipment and/or information.
Category
- Policy compliance
- Performance
- Other
Target
100% of departments have provided guidance to employees to ensure physical security assets and information are safeguarded in a remote working environment.
Calculation method (where applicable)
% of departments that have issued and/or shared guidance with employees on how to ensure the safeguarding of physical assets, equipment and/or information in the remote work environment.
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Departmental guidance, directive, or standard operational procedures outlining requirements for the safeguarding of physical assets, equipment and /or information, along with evidence of departmental wide communication of the document. This can include but not be limited to posting on departmental webpages, GC intranet (GCpedia, GCconnex) or email.
Document limit: Up to three (3) documents
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
No
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #8 new
Has your department or agency provided updated guidance to employees reflecting security considerations while working remotely, ensuring consistent categorization and handling of sensitive information throughout its lifecycle?
- Pass
- Partial Pass
- No
Rationale
Information management (IM) security is an essential component of a security management framework. IM security includes the set of principles, strategies, practices and controls used to counter threats and provide consistent protection for information that supports departmental programs and services or, is under the custody of the department.
The requirements for managing information are the same whether working remotely or in the office. Individuals (or employees) must be mindful of managing information appropriately and effectively, and in accordance with all relevant legislative and policy requirements. Departments must provide guidance and continuous communication on the importance of IM security and information categorization, during the IM life cycle. As articulated in the Directive on Security Management Appendix E: Mandatory Procedures for Information Management section E.2.2.4, organizations must:
Monitor information management security practices and controls to ensure consistent application, and implement changes, as required, to ensure that these practices and controls continue to meet the needs of the department.
Departments and agencies are asked to provide evidence, in the form of screen shots, attachments or website links accessible by TBS (please do not share Intranet links TBS cannot access), concerning communications sent to all employees reminding them of the importance of information management. Details could also include messages to employees on ensuring proper categorization, marking of documents and reminders of integrating security into planning, creation, receipt, organization, use, dissemination, maintenance, transfer, and disposition.
Category
- Policy compliance
- Performance
- Other
Target
Pass
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: The following evidence are examples to ensure a Pass:
- Copies of communications, which include details of IM security that span the entire length of the assessment process (4+Footnote * communications that are directly related to IM security) and,
- Copies of placemats or other tools to assist employees in appropriate IM Security categorization
A Partial Pass:
- Copies of communications, which include details of IM security that span the entire length of the assessment process (1-3Footnote * communications that are directly related to IM security) and/or
- Copies of placemats or other tools to assist employees in IM categorization
No compliance:
- No evidence provided or no communication provided to employees
Document limit: Up to three (3) documents
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #9 modified
Does the department or agency have the capacity to ensure that IT systems are limited to only authorized users on a regular basisFootnote 1? If the department or agency uses a third party as a service provider, is there regular communication to confirm the third party is performing the function to ensure only authorized users have access?
- Yes
- Partial
- No
Rationale
Information technology (IT) security is an essential component of a security management framework. It includes the set of principles, strategies, practices, and controls used to protect information systems that support departmental programs, services, or activities. Periodic review of access to internally managed IT systems is imperative to ensure protection of internal systems.
The requirements for defining, documenting, and maintaining departmental IT security requirements and practices are the same whether working remotely or in the office, and whether connected to the VPN or not. As outlined in the Directive on Security Management Appendix B: Mandatory Procedures for Information Technology section B.2.3.2, organizations must
implement measures to ensure that access to information (electronic data) and information systems is limited to authorized users who have been security-screened at the appropriate level and who have a need for access.
Departments and agencies are asked to provide operational policies and procedures along with evidence of implementation, e.g. screen shots or logs, capturing the “whole picture” to ensure that the mandatory procedures provided in Appendix B of the DSM are implemented. This evidence is required for both internally performed and third-party services. As this question covers mandatory procedures that all impacted department and agencies must follow, a “nil response” will require further communication between the Treasury Board of Canada Secretariat and department/agency.
Category
- Policy compliance
- Performance
- Other
Target
Yes
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: The following evidence are examples to ensure a yes:
- Operational policy and procedures provided, illustrating linkages between IT and HR officials to ensure network access is activated/deactivated according to employee movements
- Screen shot of access logs (e.g., restricting access by privileged accounts)
- Other material that provides “whole picture” (e.g., notices to users of acceptable use of information systems)
- Frequency of review (e.g. daily, weekly, bi-weekly, monthly, quarterly)
A partial pass:
- Operational Policy and procedures provided
- Frequency of review (e.g. daily, weekly, bi-weekly, etc.)
No compliance:
- No evidence provided
Document limit: Up to three (3) documents
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #10 new
If your organization has identified positions requiring Enhanced Security Screening (using the TBS Position Analysis Tool (PAT), what is the percentage of Enhanced security screenings that have been fully completed for all currently occupied positions from November 1, 2020 to October 31, 2021.
Note: “Fully completed” means that all Enhanced activities required by the Standard on Security Screening (Standard) for the position are complete (security questionnaire, security interview, open-source inquiry, and polygraph examination – as applicable). Each Enhanced security file will need to be identified by a unique name/identifier.
Note: If you do not process any Enhanced security screening requests, please indicate N/A.
Rationale
Departments and agencies had up to 36 months following the release of the 2014 Standard on Security Screening to fully comply with all requirements. Although required by policy, it is believed that many organizations have not yet finished implementing Enhanced screening. In turn, this may create a security vulnerability and poses challenges in transferability. Vulnerabilities from incomplete security screening could result in significant security breaches, including possible threats to national security.
This question will be used to assess policy compliance with the Standard, particularly as it relates to the implementation of Enhanced screening when duties or positions involve, or directly support, security and intelligence (S&I) functions and help identify any remaining challenges with respect to the implementation of Enhanced screening.
Since 2014, departments have been advised of the importance of compliance with Enhanced security screening requirements set out in the 2014 Standard.
Category
- Policy compliance
- Performance
- Other
Target
100%
Calculation method (where applicable)
Organizations are expected to provide two numbers:
“Total number of occupied positions identified as Enhanced where the individual occupying the position is appropriately screened at the Enhanced level” (numerator)
“Total number of occupied positions identified as Enhanced” (denominator)
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Template to be provided
Document limit: Template + 2 documents
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #11 new
For all individuals that have left the public serviceFootnote 1 from November 1, 2020 to October 31, 2021, what is the percentage of security screening files that contain evidence that a formal debriefingFootnote 2 was provided to remind individuals of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they had access?
Rationale
The Standard requires that upon termination of employment, engagement or assignment, all individuals must receive a formal debriefing to remind them of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they have had access.
The security debriefing upon termination of employment offers the opportunity to clarify expectations and mitigate potential security vulnerabilities regarding the disclosure of sensitive information.
This final step provides assurance that sensitive information or assets will not be divulged, discussed, or shared in a manner that could lead to potential serious harm or injury to Canada and Canadians.
Category
- Policy compliance
- Performance
- Other
Target
100%
Calculation method (where applicable)
Organizations are expected to provide two numbers:
“Total number of individuals that left the Federal public service that were provided with a formal debriefing with evidence containing on file” (numerator)
“Total number of individuals that left the Federal public service (termination of employment)” (denominator)
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence:
Departments are required to list/report, by means of a unique identifier, on all individuals that left the federal public service in the prescribed period, and include confirmation of the type of debriefing that was provided, if any.
Departments must indicate if the Security Screening Certificate and Briefing Form is recorded and included on file.
- Departments must provide sample evidence of the type of formal briefing process used (i.e. e-mail package with acknowledgement, sample in-person briefing, etc.)
Document limit: 3
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
- Appendix F – Aftercare, Section 12: Standard on Security Screening
Question #12 new
As part of the requirements detailed in Appendix F on Aftercare in the Standard, security screening files must be updated within the prescribed update cycle corresponding to the level of screening required by the position. What is the percentage of security screening files that were fully updated, prior to the validity period elapsing as prescribed by the Standard, to reassess an individual’s reliability and/or loyalty?
Note: “Fully updated” refers to the complete verification of all associated security screening activities required for an update in Appendix B of the Security Screening Model and Criteria.
Rationale
As part of the requirements established in Appendix F: Aftercare in the Standard on Security Screening, departments are required to update security screening files in-line with established update cycles detailed in Appendix B of the Security Screening Model and Criteria.
Aftercare practices are essential to help build a culture of security, where individuals understand and implement security policies and practices to safeguard information, assets, and facilities and to help ensure that security is not compromised.
Category
- Policy compliance
- Performance
- Other
Target
100%
Calculation method (where applicable)
“Total number of individuals that underwent a security screening file update to renew their security status or clearance where all required activities were completed prior to the validity period lapsing” (numerator)
“Total number of individuals identified in the numerator, plus the total number of individuals still employed by the organization and where the validity period of those Status’ or Clearance’s elapsed” (denominator)
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Template to be provided
Document limit: Template + 2 documents
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
- Appendix F – Aftercare, Section 12: Standard on Security Screening
Question #13 new
Does your department have a mechanism in place to monitor supplier, partner, and departmental compliance with security requirements throughout the contracting or arrangement process?
- Yes
- No
Note: Security requirements refer to a requirement that must be satisfied to reduce security risks to an acceptable level and/or to meet statutory, regulatory, policy, contractual and other security obligations.
Rationale
The Directive on Security Management requires that security requirements associated with contracts and other arrangements be identified and documented, and related security controls implemented and monitored throughout all stages of the contracting or arrangement process to provide reasonable assurance that information, individuals, assets and services associated with the contract or arrangement are adequately protected.
The ongoing monitoring for compliance with security requirements and controls throughout the contract/arrangement is both necessary and important to provide reasonable assurance that safeguards and requirements to mitigate security risks continue to be adhered to, as defined in the agreement.
The purpose of this question is to determine if and how departments monitor and verify continued compliance with security requirements after contract award or entering an arrangement. Specifically, we are interested in understanding if overall compliance is tracked and monitored relevant to the security management of the security controls that are implicated (e.g. security screening, physical security, IT/IM, etc.).
This question will assess performance and further aims to identify possible gaps in favour of more comprehensive guidance for ensuring that compliance with security requirements associated to contracts and other arrangements are monitored throughout. Strengthened oversight and monitoring is an integral part of reducing and addressing issues of non-compliance, security incidents, or other security events.
Category
- Policy compliance
- Performance
- Other
Target
Yes
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: A mechanism such as a tracker or other internal process (e.g. validation of conformity with security requirements) that demonstrates how compliance with security requirements is monitored and accounted for throughout the lifecycle of the agreement
Document limit: 3
Period of assessment: November 1, 2020 to October 31st, 2021.
Other TBS use only new
Government Wide Average:
Yes
Year over Year Analysis:
Yes
Departmental Results Framework (DRF)
No
Reference materials
Treasury Board policy reference or Government of Canada priority
Page details
- Date modified: