Reporting security incidents and changes in circumstances and behaviors

If you believe that sensitive government information or assets have been accessed without permission, you are required to report the security incident to Public Services and Procurement Canada's Contract Security Program (CSP). If you notice changes of circumstances or of behavior of your screened personnel, you are required to report these changes to the CSP. Find out how, when and where to report security incidents and changes in circumstances and behaviors.

On this page

• Security incidents
• Security breaches
• Security contacts
• How the program investigates a security breach
• Role of the security officers
• Changes in circumstances and in behavior

Security incidents

A security incident is an alert that a breach of security may be taking place or may have taken place. It is an act, event or omission that could result in the compromise of information, assets or services. This may include:

• leaving a protected file out on a desk unattended
• misplacing a laptop computer that contains sensitive information
• suspicious contact from someone who may be trying to gain sensitive information from you

Organizations must establish procedures to ensure that suspected or confirmed security incidents are immediately identified, investigated and reported to the CSP.

How to report a security incident

Security incidents must be reported to the company security officer (CSO) or alternate company security officer (ACSO). The CSO or ACSO will conduct a preliminary inquiry, keep a written record and report security incidents to the CSP.

Complete the Security incident report form for security officers

The preliminary inquiry will address the following:

• where and when did the security incident occur
• who reported it, to whom, and when
• what information or asset was involved
• what was the security marking and description of the information or asset involved
• who was the originator of the information or asset
• for how long and to whom was the information or asset vulnerable to unauthorized access
• what actions were taken to secure the information or asset and limit the damage
• was any information or asset lost or unaccounted for
• what are the recommendations to prevent the security incident from reoccurring

Submit either the Security incident report form or an email to:
ssidsicdieenquetes-isscisdiidinvestigations@tpsgc-pwgsc.gc.ca.

Do not submit protected and classified information with your report or by email. When submitting either your security incident report or email, clearly indicate in your message whether you have sensitive information to provide as part of the security incident report. The investigator assigned to the file will then contact you to make the necessary arrangements to obtain these documents.

If you suspect a criminal act has been committed, contact your local police service.

Security breaches

A security incident that leads to a confirmed compromise of information and assets is considered a security breach.

A breach is an act, event or omission that results in the compromise of sensitive information or assets. This means that there has been unauthorized access, disclosure, destruction, removal, modification, use or interruption of protected and classified information and assets.

How to report a security breach

In the event of a security breach, the CSO or ACSO must take the following steps:

1. report breaches immediately
   • complete the Security incident report form for security officers and send it to the CSP
2. complete an investigation of the security incident to determine what caused it
3. take corrective measures and implement controls to prevent or minimize the possibility of future similar security incidents

Security contacts

A security contact happens when the representative of a group communicates with you to access national security information for which they do not have a need-to-know. Most attempts to collect sensitive information or intelligence are subtle and often appear harmless. These can occur during social events, over the internet or during official meetings held domestically or abroad.

A security contact may come from:

• a foreign country of interest
• an extremist or subversive group
• a criminal group
• a political, commercial or issues-motivated group or individual, including the media

These groups or individuals use considerable resources to obtain access to national and defence information, weapons or other military assets. Their efforts could involve targeting a person or their family and friends.

Awareness is vital. If you have regular contact with representatives of foreign or other groups in or outside of Canada, then you are required to report this to your CSO or ACSO.

At a minimum, the CSO or ACSO must report the following situations to the CSP:

• unusual or persistent contact or any attempt by an unfamiliar individual to access information, assets or facilities
• planned or unplanned contact with embassy or foreign government officials, foreign officials or foreign nationals in Canada or outside Canada, when such contact is outside of regular duties
• actual or potential security incidents or concerns

Why you may be targeted

Employees of organizations screened with CSP could hold information that is highly sought after by foreign representatives. Information collected by these people and groups could be a threat to you, your organization and our national security.

You must report a suspicious contact so it can be assessed to:

• allow early identification of the threatening activity
• determine the extent of the threat
• alert the authorities responsible for the development of appropriate countermeasures

When to report a contact

Your organization must report suspicious contacts as soon as they happen to allow prompt assessment and appropriate action.

Consider the following questions:

• was the encounter with a foreign national
• did you feel uncomfortable with the line of questioning
• was the questioning persistent
• did anything happen that appeared suspicious or caused you concern

If the answer to any of the above questions is yes, then you should immediately report the suspicious contact to the:

• CSP through your CSO or ACSO
• local police
• Canadian Security Intelligence Service (CSIS)

Third-party reporting

Third-party reporting is a vital assistance to the federal government in identifying inappropriate contacts.

The CSO or ACSO must ensure that security incidents of this nature are reported to the CSP. They may also need to contact other parties, depending on the severity of the concern. The CSP treats third-party reports in the strictest confidence.

How to report a security contact

If you suspect a security contact, you must contact the Contract Security Program.

You may also need to contact the following authorities to report:

• an immediate threat to national security, contact either
  • 911 (your local police department)
  • the Royal Canadian Mounted Police (RCMP) National Security Information Network
• a non-immediate threat to national security
  • contact consider reporting national security information to the CSIS
• suspected criminal activities, contact either
  • your local law enforcement organization
  • the RCMP Operational Coordination Centre

    email:

    rocc_ops_ccog@rcmp-grc.gc.ca

    telephone:

    343-547-2730

How the program investigates a security breach

The CSP conducts administrative investigations into security breaches.

Some examples of security breaches include:

• violation of the Policy on Government Security or the Contract Security Manual (CSM)
• access to protected or classified information or assets by a person or an organization who does not have the required security level
• criminal activity
• information technology security incidents

The CSP will investigate security violations such as:

• failure to handle and safeguard classified information and assets in accordance with the CSM
• unauthorized modification, retention, destruction, or removal of classified information and assets
• unauthorized interruption of the flow of information

Our investigator will:

• assess the scope of the security incident
• advise the CSO on the safeguarding of the information or asset
• investigate allegations
• provide a report outlining corrective actions
• make recommendations to prevent further breaches

Role of the security officers

If the CSO or ACSO believes a security incident has taken place, they are responsible for the following:

• reporting it to the CSP
• completing a written report of the security concern
• suspending access to sensitive information and assets until the CSP has completed the investigation

The CSO or ACSO can prevent security incidents by creating awareness in the organization by:

• informing employees of their security responsibilities and making them aware of security concerns, threats and risks
• conducting regular checks to make sure employees are respecting security procedures and practices
• increasing employee awareness through security awareness orientation and training
• sharing information on the organization's security procedures and best practices
  • posters, banners, newsletters, videos and presentations are all practical ways to get the message across

Changes in circumstances and behavior

As CSO or ACSO, you must promptly report any changes in circumstances and behavior of your screened personnel.

Change of circumstances

All individuals are required to report information related to a change of personal circumstances that may affect the reliability status or security clearance they have been granted.

At a minimum, individuals are required to report any:

• change in criminal record status (criminal conviction, suspension of a criminal record or other judicial prohibitions)
• involvement with law enforcement (such as being the subject of a criminal investigation or arrested)
• association with criminals
• significant change in financial situation (such as bankruptcy or unexpected wealth)

The CSO or ACSO or the employee must promptly report on any changes of circumstances by email: spac.dgsssidessn-dobissnssid.pspc@tpsgc-pwgsc.gc.ca.

Changes in behavior

Unusual behavior that may be cause for security concern must be reported to the CSO or ACSO.

They include but are not limited to:

• drug or alcohol misuse
• sudden or marked changes in financial situation (such as bankruptcy or unexpected wealth)
• expressions of support for extremist views, actions or incidents, particularly when violence is advocated
• unexplained hostile behavior or communication
• unexplained frequent absences
• indications of fraudulent activity
• disregard for safeguarding sensitive information or assets (such as security violations or breaches)
• persistent or unusual interest in or attempts to gain access to sensitive information, assets or facilities to which an individual has no work-related need to access

As CSO or ACSO, you must promptly report any changes in behavior of your screened personnel by email: spac.dgsssidessn-dobissnssid.pspc@tpsgc-pwgsc.gc.ca.