ARCHIVED – Chapter 1: General introduction
Archived information
This information has been archived and replaced by the Contract Security Manual.
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived.
On this page
100. Industrial Security Manual
1. General
The Industrial Security Manual (ISM) is produced for industry by the Industrial Security Sector (ISS) at Public Services and Procurement Canada (PSPC).
2. Scope
This manual is a simple reference which tells company security officers (CSOs) what they must know about Canadian government security standards and procedures and how to ensure that their organization meets these security requirements.
3. Application
This manual prescribes the procedures to be applied by Canadian-based organizations, for the safeguarding of government information and assets, provided to or produced by private organizations and where security is administered by the Contract Security Program (CSP) of PSPC. Procedures are also provided for the same activities related to allied foreign government departments and agencies contracting through, PSPC as in the case of multinational ventures where Canada is a partner.
4. Content
This manual is comprised of 12 chapters, each chapter being immediately followed by applicable referenced annexes. A ARCHIVED - resources section is included after the last chapter to enhance understanding of the manual. The section contains a glossary of terms as well as a short list of abbreviations and acronyms.
5. Format
Where applicable, chapters deal separately with classified and protected information and assets. Accordingly, the reader need only be concerned with that information which is clearly separated in one security category or the other.
101. Policy on Government Security
General
- The Policy on Government Security is issued by Treasury Board under authority derived from government decision and Section 7 of the Financial Administration Act.
The policy objective is to "ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management."
Federal contracts are subject to the provisions of this policy. PSPC is the designated lead department responsible for advice and guidance on security requirements in federal contracts for goods and services.
The PSPC's CSP ensures the requisite security in the private sector. Specifically, the PSPC's CSP directors are responsible for ensuring the implementation and subsequent review of all security measures within Canadian-based industries (or other non-government organizations), in those instances where Canadian protected and classified or foreign classified information and assets is disseminated to the private sector, relative to a contract, agreement, or pre-contractual requirement involving PSPC.
- Many agencies assist PSPC's CSP in meeting this responsibility, including the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP), the Department of National Defence (DND) and their counterparts in foreign countries, as well as the Communications Security Establishment (CSE of DND)
102. Contract Security Program
Aim
- The aim of a security program is to prevent unauthorized disclosure, destruction, removal, modification or interruption of protected and classified information and assets. Achievement of this aim requires an organizational structure and administrative procedures which support four subsystems providing for:
- physical security (location and design of accommodation and physical measures to prevent, detect and respond to unauthorized access)
- information technology security (control of access to information used in electronic data processing or communicated electronically)
- personnel security (personnel screening, education and sanctions)
- foreign disclosure of information and assets as prescribed in bilateral memorandum of understanding and arrangements
- Personnel security screening determines the loyalty or reliability of persons for authorized access. These sub-systems are interrelated, so the effectiveness of a security program depends on the performance of all components
- PSPC's CSP is organized to provide details of all of the components of a security program in a coordinated manner. Organizations that are granted a designated organization screening (DOS) or a facility security clearance (FSC) under the PSPC's CSP shall implement security programs, on an appropriate scale
Application
PSPC's CSP provides guidance to Canadian industry and other organizations, to ensure the safeguarding of protected and classified information and assets in the custody or under control of private sector contractors or individuals, in order to prevent:
- a security breach or compromise of such information and assets
- disruption or destruction of services
- theft, misuse or abuse of property, which could hinder contract performance and could create a potential compromise of material
Scope
Within the contractor's environment, the PSPC's CSP includes security of:
- contractor's organization
- protected and classified information and assets released to a contractor
- goods or material being produced by a contractor under contract
- protected and classified information and assets during transmission
- protected and classified information processed electronically at a contractor's facilities
- the equivalent in non-commercial organizations such as universities
103. Appointment of the company security officer and alternates
The appointment of a company security officer (CSO) applies to all organizations that require a DOS or a FSC.
Minimum requirements for the appointment of a company security officer
As a minimum, a CSO must:
- be a Canadian citizen or a permanent resident and an employee of the organization
- be security screened to the reliability status level in the case of a DOS
- be security cleared to the level of the FSC. There are exceptions to this requirement for some North Atlantic Treaty Organization (NATO) and some Top Secret FSC. Please consult your field industrial security officer for further information
- report to a designated key senior official (KSO) on all security matters and should be located at the organization's Canadian headquarters to permit personal communication with the KSO on security matters
Appointment of a company security officer
The CSO shall be appointed by the chief executive officer or the designated KSO of the organization. To appoint a CSO, PSPC ARCHIVED—Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form must be submitted to PSPC's CSP for approval. PSPC's CSP will not discuss security matters, nor will they release any material to a CSO until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.
Alternate company security officer (to carry out the duties of the company security officer in their absence)
The CSO should designate, from among the organization's appointed alternate company security officers (ACSO), one ACSO to carry out the duties of the CSO in their absence and shall advise PSPC's CSP of this choice accordingly. This ACSO shall be a Canadian citizen, an employee of the organization and shall be security screened or cleared to the same level as the CSO.
In the event that the CSO terminates employment with the organization, the designated ACSO will assume all responsibilities for industrial security. The organization must appoint a new CSO as soon as possible afterwards using PSPC ARCHIVED—Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form. Failure to appoint a new CSO who is security screened or cleared to the appropriate level may result in the suspension of the organization's DOS or FSC.
Minimum requirements for the appointment of additional alternate company security officers
With the exception of a one person organization, it is a mandatory requirement that at least 1 ACSO be appointed at the organization's facility where the CSO is located, and at least 2 ACSOs be appointed at each additional facility of the organization where protected or classified information and assets are safeguarded.
As a minimum, the ACSO must:
- be a Canadian citizen or a permanent resident and employee of the organization
- be screened to the reliability status level in the case of a DOS
- be security screened to the reliability status level in the case of facility security clearance without classified document safeguarding capability (DSC)
- be security cleared to the level of the FSC in the case of a facility security clearance with classified DSC. There are exceptions to this requirement for some NATO and some Top Secret FSCs. Please consult your field industrial security officer (FISO) for further information
- report to the CSO on all security matters
Appointment of alternate company security officers
The CSO shall appoint the ACSOs of the organization. To appoint an ACSO, the PSPC ARCHIVED—Annex 1-B: Alternate company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. PSPC's CSP will not discuss security matters, nor will they release any material to an ACSO until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.
104. Responsibilities of the company security officer
- In relation to a DOS or a FSC, the CSO is responsible for:
- reviewing the security requirements as defined in the contract security requirements checklist (SRCL) or contract security clauses and ensuring that all security requirements are adhered to
- obtaining approval from PSPC's CSP prior to subcontracting contracts with security requirements
- conducting updates and upgrades to security clearances in accordance with the required format and established time frames
- appointing, briefing and training all ACSO's
- appointing, from among the appointed ACSOs, 1 officer to be the company security officer in their absence
- identifying those employees who require access to protected and classified information, assets, or protected and classified work sites and ensuring that accurate and complete personnel security screening documentation is submitted for such employees
- for DOS, ensuring that all the CSOs and ACSOs are security screened to reliability status
- in the case of FSC, ensuring that all the organization's KSOs, CSO and alternates are cleared to the highest level of access required
- where necessary, arranging resolution of doubt interviews with employees
- ensuring that employees receive a security briefing upon notification of having been granted a security clearance or reliability status by completing the security screening certificate and briefing form
- ensuring that only personnel who have been security screened to the appropriate level and who have a need-to-know have access to protected and classified information and assets or controlled sites in accordance with contractual requirements
- maintaining a current list of security screened employees in accordance with ARCHIVED - chapter 2 of this manual
- ensuring that personnel security screening files are safeguarded properly
- ensuring the security screening certificate and briefing form is submitted in order to terminate the reliability status or security clearance of those employees who no longer require access to protected and classified information and assets or controlled sites in accordance with contractual requirements
- in coordination with client's security representatives, ensuring that employees working at client sites are briefed by the client concerning any relevant security requirements
- ensuring the proper completion of requests for visits
- informing PSPC's CSP of any changes in the organization's legal status or ownership and in the case of FSC, changes in the list of KSOs
- informing PSPC's CSP prior to any physical move or new construction which could affect the safeguarding of protected and classified information or assets
- documenting and reporting changes of circumstance or behaviour for personnel with regard to their security screening status as outlined in this manual
- documenting and reporting persistent or unusual contact from another individual, or attempts by another individual to obtain access to sensitive information, assets or a facility without proper authorization
- In relation to a DOS or a FSC with DSC, the CSO is also responsible for:
- preparing ARCHIVED—Annex 1-C: Security orders and ensuring that all personnel who have access to protected and classified information and assets have been briefed on their security responsibilities through the implementation of an effective security awareness program
- appointing, when required, an IT corporate security coordinator and designates
- appointing, when required, communication security (COMSEC) and alternate COMSEC custodians in accordance with the Industrial COMSEC Material Control Manual
- ensuring that all protected and classified information and assets are safeguarded and handled in accordance with the provisions of this manual
- ensuring that CSO inspections are conducted, at least annually, of all the organization's facilities that hold protected and classified information and assets and that records of these inspections are retained for at least 3 years
- providing, as a minimum, an annual inventory of protected and classified information and assets
- ensuring that all security violations are recorded and subsequently investigated
- ensuring that PSPC's CSP is immediately notified of any breach or compromise, and that a written report is submitted to PSPC's CSP as soon as possible. Investigation of breaches or instances of compromise shall be coordinated by PSPC's CSP
- To ensure that security issues are properly addressed and properly coordinated, it is necessary that the CSO be the official contact with PSPC's CSP . In most cases, the CSO will bring issues to PSPC's CSP by contacting the manager of the Industrial Security Operations Division. Communication with PSPC's CSP, whether written or oral, should be limited to the CSO and any ACSOs or the chief executive officer of the organization
105. Corporate company security officer
- When a facility-cleared Canadian parent organization own one or more cleared subsidiaries in Canada, a corporate company security officer (CCSO) should be appointed to oversee government industrial security matters for the entire corporation. The CCSO shall be a Canadian citizen, be employed by the organization and shall report to a designated KSO of the organization on all security matters. The appointment of a CCSO does not replace the requirement to have a CSO at each cleared subsidiary holding protected and classified information or assets
- The CCSO shall be appointed by the chief executive officer or the designated KSO of the parent organization. To appoint a CCSO, the PSPC ARCHIVED—Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. The appointment only becomes official when a completed copy of this form has been returned to the organization
- In order that the duties of the CCSO are carried out during their absence from the corporation, and unless it is otherwise agreed to by PSPC's CSP , the CCSO shall designate one CSO as the alternate CCSO and shall advise PSPC's CSP accordingly
Annexes
- ARCHIVED—Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form
- ARCHIVED—Annex 1-B: Alternate company security officer security appointment, acknowledgement and undertaking
- ARCHIVED—Annex 1-C: Security orders