Audit of Personnel Security
Access to Information
This report has been reviewed in consideration of the Access to Information Act and Privacy Acts. The asterisks [***] appear where information has been removed; published information is UNCLASSIFIED.
Table of contents
- Acronyms and abbreviations
- Executive summary
- Management's response to the audit
- 1. Background
- 2. Objective, scope, methodology statement of conformance
- 3. Audit findings
- 4. Conclusion
- 5. Recommendations
- Appendix A – Audit objective and criteria
- Appendix B – Screening process overview
- Appendix C – File review detailed results
Acronyms and abbreviations
Chief Information Officer
Directive on Departmental Security Management
Departmental Security Branch
Departmental Security Officer
Departmental Security Plan
Departmental Security Section
National Administrative Records Management System
Policy on Government Security
Risk-Based Audit Plan
Royal Canadian Mounted Police
RCMP Reliability Status
RCMP Security Manual
Senior Executive Committee
Specialized Policing Services
Security Screening Standard
Treasury Board Secretariat
As Canada's national police force, the RCMP is responsible for ensuring the integrity of its nearly 30,000 employees, 25,000 contractors and more than 17,000 volunteers in over 700 communities across Canada. This is accomplished by ensuring that these individuals are appropriately security screened prior to their association with the Force, and through periodic security screening updates thereafter.
In recent years, the Departmental Security Program has experienced challenges in meeting service level expectations as a result of funding pressures combined with increasing demand as a result of the implementation of Shared Services Canada, the new Parliamentary Protective Service and the National Recruiting Initiative to increase Regular Member recruiting. In an effort to enhance the efficiency of the security screening program and ensure operational requirements are met, DSB has identified and implemented a number of process modifications and is currently investigating others.
The 2011 Audit of Personnel Security found that the personnel security screening process within the RCMP was not sufficiently rigorous. It also found that the reporting structure in place at that time coupled with the lack of monitoring and oversight of the process made it difficult to assess whether the overall process was meeting its intended objectives. ***
The current audit found that while progress has been made on certain issues such as: enhancing the rigour of the process; defining and communication risk tolerances; and implementing a number of process efficiencies, risks and gaps continue to exist. *** Improvements in these areas are necessary to further facilitate improvements to the effective and efficient delivery of the security screening program.
The audit found that there were a number of challenges with respect to the ***. DSB is aware of these challenges and is taking measures to improve the capture of performance information. Notwithstanding the challenges relating to the ***, through our file review and analysis of available program information we were able to identify a number of potential opportunities and mechanisms that could improve the efficiency of the process.
The management response included in this report demonstrates the commitment from senior management to address the audit findings and recommendations. A detailed management action plan is currently being developed. Once approved, RCMP Internal Audit will monitor the implementation of the management action plan and undertake a follow-up audit if warranted.
Management's response to the audit
Specialized Policing Services (SPS) agrees with the recommendations of the Audit of Personnel Security. *** Maximizing efficiencies and standardizing processes as well as implementing a national framework for oversight and performance measurement are also seen as key components for successful program delivery.
To that end, and prior to the completion of the audit, SPS has undertaken significant steps to address program oversight, with particular emphasis on standardizing processes to improve national governance. SPS, however, acknowledges there is still much work to be done. Many of the components identified in the audit are well known and were prioritized in the RCMP Departmental Security Plan (DSP) for 2015-2018, which SPS started implementing along with the information technology (IT) required to support them. Additionally, SPS will continue working with key stakeholders and the Senior Executive Committee to further define program costing and implement a funding model commensurate with organizational priorities, risk tolerance and capacity.
SPS will carry on taking action on the recommendations over the next two fiscal years, as indicated in the DSP. A detailed management action plan which addresses the report recommendations will be developed for review by the Departmental Audit Committee prior to the next Committee meeting.
Deputy Commissioner Peter Henschel
Specialized Policing Services
As Canada's national police force, the RCMP is responsible for ensuring the integrity of its nearly 30,000 employees, 25,000 contractors and more than 17,000 volunteers in over 700 communities across Canada. This is accomplished by ensuring that these individuals are appropriately security screened prior to their association with the Force, and through periodic security screening updates thereafter.
The security screening process for the RCMP is governed by the requirements prescribed in the Treasury Board Policy on Government Security (PGS), the Directive on Departmental Security Management (DDSM), and as of October 20, 2014 the Treasury Board Standard on Security Screening (the standard) which replaced the Personnel Security Standard which had been in effect since June 9, 1994. The new standard introduced enhanced security screening activities for departments and organizations that are involved in or directly support security and intelligence functions. Appendix B to the standard, Security Screening Model and Criteria, breaks down the standard and enhanced screening activities introducing open source inquires for all enhanced security clearances and polygraph examinations for enhanced Top Secret clearances. The new standard included a 36 month implementation period, meaning departments and organizations do not have to be fully compliant until October 2017. The RCMP has further communicated throughout the force the internal security screening policy and procedures in the RCMP Security Manual (security manual).
The standard describes security screening as being at the core of the Policy on Government Security and as a fundamental practice that establishes and maintains a foundation of trust within government, between government and Canadians, and between Canada and other countries.
The PGS assigns accountability for the effective implementation and governance of security and identity management within the RCMP to the Commissioner as deputy head. It requires that the Commissioner appoint a departmental security officer (DSO) to be functionally responsible for the management of the departmental security program. Within the RCMP the Director General of the Departmental Security Branch (DSB) holds this appointment.
The DDSM's objective is to achieve efficient, effective and accountable management of security within departments. It holds that Departmental security activities must be centrally coordinated and systematically woven into day-to-day operations to ensure that individuals, information, assets and services are safeguarded. The DDSM defines the roles and responsibilities of departmental employees who support deputy heads in the management of departmental security.
The RCMP's Personnel Security Program ensures the reliability and security of individuals accessing its information systems, data and physical assets. This is achieved through the RCMP security screening process, which supports the issuance, denial, suspension or revocation of a RCMP Reliability Status (RRS) and, if required by the position, a Secret or Top Secret security clearance.
The RCMP's security screening is delivered and supported across Canada by DSB and through four (4) Departmental Security Sections (DSSs) located in Vancouver, Regina, Halifax and Ottawa. The security screening process involves multiple steps such as conducting education and employment verification, credit checks, criminal record checks, interviews and field investigations. When a RRS or security clearance expires, an update is required to extend its validity. An overview of the process is provided in Appendix B.
In 2014, DSB reported that the backlog of security clearance updates continued to grow and that time delays associated with obtaining clearances for new hires, secondments and contingent workers (contractors) was creating significant pressures for hiring managers across the RCMP. These time delays: impact operations and partnership development; may result in the lapse of funding related to contracts; could incur penalties to the RCMP for not respecting contracting terms and conditions; and could lead to qualified potential employees accepting employment outside the Force.
In a 2015 business case entitled "Transforming the National Departmental Security Program", DSB reported that average times to complete a reliability screening varied significantly by Division with the range being 17 to 52 weeks. This is in contrast to DSB's stated desired service standard of 8 to 10 weeks. In the business case, DSB reported that personnel security screening is under significant pressure as a result of increasing volumes due to consolidation of Government of Canada services including information technology (IT) and pay and increased recruitment of RCMP Regular Members from 320 to 960 cadets per year, since 2014; and due to a greater focus on security in response to modern threats.
In 2011, RCMP Internal Audit conducted an audit of Personnel Security. The results indicated that the rigour of the personnel security process needed improvement; there was insufficient oversight and monitoring over the screening process; and that Senior Executives' risk tolerances had not been sufficiently communicated or understood.
In April 2014, the Commissioner approved an audit of Personnel Security as part of the 2014-17 Risk-Based Audit Plan (RBAP). The RBAP indicated that the engagement was also to include follow-up work to assess the implementation of the Management Action Plan developed in response to the recommendations made in the 2011 Audit of Personnel Security.
2. Objective, scope, methodology and statement of conformance
The objective of this audit engagement was to assess the efficiency and effectiveness of the processes for providing personnel security screening to ensure they are: consistent with the Policy on Government Security and Security Screening Standard; streamlined; and timely.
The engagement examined the personnel security screening processes and activities for Regular Members (RM), Civilian Members, Public Servants, and Contractors at Headquarters and at regional Departmental Security Sections (DSSs). The engagement included an independent review of the security screening processes, including the process reviews and process mapping exercises that have been undertaken by the Departmental Security Branch, with a view to identifying opportunities and mechanisms to further improve efficiency without unduly increasing risk to the Force and while ensuring compliance with the Policy on Government Security and the Security Screening Standard.
The engagement also included sufficient work to assess and report on the current status of the Management Action Plan associated with the 2011 Personnel Security Audit.
Planning for the audit was completed in July 2015. In this phase, the audit team conducted interviews, process walkthroughs and examined relevant policies, directives, procedures and results of previous reviews.
Sources used to develop audit criteria include Treasury Board and RCMP policies. The audit objective and criteria are available in Appendix A.
The examination phase, which concluded in March 2016, employed various auditing techniques including: interviews, documentation reviews, analysis, physical observation and file reviews. Site visits were conducted at all four Departmental Security Sections and at the Departmental Security Branch. Upon completion of the examination phase, the audit team held meetings to validate findings with personnel and debriefed senior management of the relevant findings.
2.4 Statement of conformance
The audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
3. Audit findings
The 2011 Audit of Personnel Security found that the personnel security screening process within the RCMP ***. It also found that the reporting structure in place at that time coupled with the lack of monitoring and oversight of the process made it difficult to assess whether the overall process was meeting its intended objectives. ***
Management accepted the audit findings and recommendations and committed to conducting a review to improve the rigour of the security screening process. This review was to include consultations to identify an appropriate reporting structure. With respect to risk tolerances, management committed to defining and communicating its risk tolerances through the RCMP's Senior Executive Committee. ***
Accordingly, we expected that this audit would find that improvements had been made to improve the overall rigour and efficiency of the security screening process. Specifically, we expected that:
- Security files would be compliant with both the requirements of the standard and the security manual;
- Risks to the program would be appropriately managed, and management's risk tolerances would be communicated and understood throughout the organization;
- An appropriate reporting structure would have been identified and implemented;
- Financial information on the costs of the program would be available and would inform resource allocation decisions;
- Performance of the program would be measured and monitored; enabling program enhancements where appropriate; and
- The results of the improved governance framework would enable the streamlining of the program across the organization with identified efficiencies shared and incorporated into program policies and procedures.
Through our audit work, which included interviews, documentation reviews, analysis, physical observation and file reviews we found that since the 2011 audit, while a number of process enhancements have been made risks and gaps continue to exist, notably the availability of reliable performance and resource information. In addition, based on our analysis and file review, we also found that additional opportunities exist to enhance the effectiveness and efficiency of the process.
3.1 Program Activities Since 2011
The Policy on Government Security (PGS) and the Standard on Security Screening (the standard) require that: governance structures, mechanisms and resources are in place to ensure effective and efficient management of security at both a departmental and government-wide level; and that security screening services are effective and efficient, and meet the needs of departments and agencies, and of the Government of Canada as a whole.
The Departmental Security Program has experienced challenges in meeting service level expectations as a result of funding pressures combined with increasing demand as a result of the implementation of Shared Services Canada, the new Parliamentary Protective Service and the National Recruiting Initiative to increase RM recruiting. DSB reported in a 2015 business case that average times to complete a reliability screening varied significantly by Division with the range being 17 to 52 weeks. As reported by DSB and the four DSSs, the total demand for security clearances has increased from approximately 21,000 in 2013 to 25,121 in 2014. Volume in 2015 was consistent with 2014, with 25,258 clearances being requestedFootnote 1. During this period, resources allocated to the security screening program have reportedly remained consistent with respect to indeterminate full-time equivalents (FTE) - approximately 125 for both 2014 and 2015. However, taking into account the use of overtime, casual, and term employees, total resources allocated to the program have reportedly increased from approximately 172 FTE in 2014 to 189 FTE in 2015 (Figure 1)Footnote 2.
Improvements have been made to the program since the 2011 audit
DSB has made progress on certain issues identified by IAER's 2011 Audit of Personnel Security. In addition to enhancing the rigour in the screening process and defining and communicating risk tolerances through RCMP's Senior Executive Committee, DSB has identified and implemented a number of process efficiencies.
Rigour of screening process – compliance to policy requirements
The detailed security screening requirements and procedures to be followed within the RCMP align with the requirements of the Policy on Government Security (PGS) and the Standard on Security Screening (the standard) and are contained in the RCMP Security Manual (security manual).
We found that DSS personnel at all levels were aware of the requirements of the standard and security manual and many of the tools used locally, such as checklists, were intended to ensure compliance with the standard and security manual.
*** DSSs, as part of the audit's file review testing, a sample of 243 files for various types of clearances was *** compliant with both the requirements of the standard and the security manual, with all the required procedures having been completed. This represents a significant improvement from the findings of the 2011 audit relating to process compliance.
As previously mentioned, the Treasury Board Standard on Security Screening has introduced enhanced security screening requirements regarding the use of open source inquiries and polygraphs, that will become effective in October 2017. ***
Departmental Security Plan and Definition and Communication of Risk Tolerances
The PGS and DDSM outline the requirement for departments to conduct a continuous assessment of security risks, threats and vulnerabilities and to implement appropriate internal controls to ensure continuous adaptation to the changing needs of the department and the operating environment. The 2011 audit recommended that Senior Executives' risk tolerance levels should be defined and communicated to ensure clear understanding and consistent application throughout the program.
In July 2015, the Commissioner approved the RCMP's first 3-year Departmental Security Plan (DSP). The plan describes security governance within the RCMP and also defines the roles and responsibilities for the Commissioner, DSO, and Departmental Security Sections (DSSs) among others. The DSP, which aligns with the requirements in the TB policies, assigns the DSO with the functional authority over the Departmental Security Program. Specifically included as part of the DSO's responsibilities is the implementation of security controls and processes for the systematic management of security risks to the Department and any activities necessary to achieve the objectives and priorities of the DSP.
We found that DSB conducted a thorough assessment of security risks facing the RCMP (including risks specific to the security screening program) as part of developing the recent DSP. DSB is using the results of this assessment to guide its priorities for the next three years acknowledging that the risks will continue to evolve.
As an additional activity relating to the 2011 recommendation, DSB consulted both externally and internally to identify security risk categories and developed a decision-making tool entitled RCMP Security Risk Categories: Indicators, Mitigating Factors & Tolerances. This tool is intended as a decision making guide for personnel security analysts, investigators, risk managers and adjudicators, to ensure consistent application of risk factors in the issuance and renewal of RCMP Reliability Status and security clearances. The risk indicators, mitigating factors and organizational risk tolerances within the document are the result of extensive research and consultations with national and international partner organizations and analysis of over one thousand clearance files with adverse information.
As of April 2016, the guide was still in draft form and was only approved as a tool to be used for RM security clearances. Notwithstanding the fact that judgement will always be a factor in making security clearance decisions, once the guide has been fully approved and disseminated more broadly, DSB expects it to provide a clearer understanding of senior management's risk tolerance and provide sufficient guidance to enable the DSSs to assess risk in a more consistent manner.
Efficiencies Identified and Implemented by DSB
In its assessment of activities that could be risk-managed in an effort to enhance the efficiency of the security screening program, DSB has identified and implemented process modifications relating to: risk-managed appointments, security level reductions, and other process efficiencies.
The standard states that in all cases, individuals must be officially granted the required reliability status, secret security clearance, top secret security clearance, site access status or site access clearance before they are assigned duties or assigned to a position, and/or before they are granted access to sensitive information, assets or facilities.
DSB interim measures to increase process efficiency
In June 2014, based on recommendations from DSB, the RCMP's Senior Executive Committee approved a number of interim measures in an effort to alleviate pressures on the security screening process and to address the increased wait times for non-RM security screening requests. The objective of the interim measures was to standardize and streamline screening requirements for specific cases and thereby reduce screening processing time pending the implementation of a longer-term strategy for departmental security. Some of these measures included:
- Reducing the number of Top Secret positions;
- Rationalizing screening requirements for short-term contractors;
- Expediting reactivations, granting temporary access; and
- Expediting and risk managing secondments;
Personnel security managers commented that while the intent of interim measures is to reduce turnaround times, to a large degree, their impact on efficiency cannot be demonstrated as mechanisms were not put in place to track the use of interim measures.
Opportunities exist to improve the effectiveness of the RCMP's security screening program
While progress has been made since the 2011 audit in enhancing the security screening program, risks and gaps remain relating to functional authority and organization structure, oversight and monitoring and performance measurement practices. Enhancements in these areas are necessary to further facilitate improvements to the effective and efficient delivery of the security screening program.
Functional Authority and Organizational Structure
As previously mentioned, the RCMP's DSP identifies the implementation of security controls and processes for the systematic management of security risks as part of the DSO's responsibilities. As part of our examination we found that the DSO has encountered obstacles in carrying out these roles and responsibilities as a result of ***.
One of the issues raised during the current audit was that, in some cases, the DSO's ability to manage the program has been challenged by the fact that personnel security screening is delivered through four Departmental Security Sections (DSS) located in Vancouver, Regina, Ottawa, and Halifax. While the DSS's report functionally to the DSO for all security related matters, they report administratively, on a day-to-day basis, to local Divisional Management, which also provides the majority of the DSS's funding.
In the 2011 audit, this ***.
Through our site visit interviews we determined that there is ***: establish program priorities; reallocate resources; implement standards and processes; and establish performance expectations for the DSSs despite the fact that policy assigns functional authority to the DSO.
While some initiatives have been undertaken to address governance issues, as of April 2016, ***. Clearly defining and communicating the DSO's authority to influence resource allocation and set program priorities would enable more effective management of the program.
Financial Information and Resource Allocation
The current funding model for the personnel security screening program is complex and information regarding the full costs of the program is limited. The program is not centrally funded; rather, DSSs receive the majority of their funding from the Division in which they are located. In some cases, DSSs have obtained additional funding from the Divisions they serve (but are not located in) or from DSB to address national priorities such as screenings for the recruitment of Regular Members. In a 2015 business case, DSB reported that nationally, approximately 14% of FTEs in the security program are funded by incremental or temporary funding. This has created staffing challenges and a reliance on term and/or casual employees. Some DSSs have entered into financial arrangements with client groups to have the client temporarily fund positions within the DSS which are then dedicated to working on security screenings for that client group. Although this may address immediate requirements, it results in ongoing personnel turnover and significant effort to obtain and train temporary employees, who may seek other more permanent positions when opportunities present themselves.
*** covering the costs of the field investigation portion of the security screening process were observed. ***. Resources allocated to the security screening program have reportedly remained consistent with respect to indeterminate full-time equivalents (FTE) - approximately 125 for both 2014 and 2015. However, taking into account the use of overtime, casual, and term employees, total resources allocated to the program have reportedly increased from approximately 172 FTE in 2014 to 189 FTE in 2015 (Figure 1).
|Year||DSB Unit||Atlantic Unit||Central Unit||Northwest Unit||Pacific Unit||Total||% Change|
|2014||4.25 (23.85)||11.85 (12.56)||37.27 (48.91)||27.45 (36.88)||43.97 (49.79)||124.79 (171.99)||---|
|2015||5 (31.83)||10.75 (12.42)||38.91 (41.12)||25.27 (48.58)||45.09 (54.57)||125.02 (188.52)||< 1% (9.6%)|
*** along with ad hoc arrangements for securing funds from client groups, reduce the accuracy and completeness of costing information. Without complete and accurate costing information and a secure source of funding, it is difficult for the program to confirm resource requirements or to strategically reallocate funds within the program to address increased demand or new requirements such as the open sources inquiries and polygraph examination introduced in the October 2014 Standard on Security Screening. There is also a risk that opportunities for efficiencies may be lost, as the DSO does not have sufficient information to propose strategic resource reallocation decisions.
Enhanced, complete information regarding program costs would allow for more informed resource allocation, and would aid in determining long-term funding requirements.
Monitoring and Performance Measurement
The TB PGS requires deputy heads to ensure that periodic reviews are conducted to assess the effectiveness of the security screening program. The DDSM assigns to the DSO the responsibilities of measuring performance on an ongoing basis to ensure that residual risk levels are acceptable. In addition, the standard requires the DSO to monitor compliance with the standard and the effectiveness of security procedures and practices.
***. In response to the audit findings, management committed to establishing national performance measures and ongoing monitoring of national processing times.
We found that at the completion of our examination phase the policy centre had not defined specific performance information requirements and DSSs were not required to capture and report such information. ***.
During our site visits in our examination phase, we attempted to obtain performance information from the individual DSSs; however, we found that DSSs capture performance measures differently and for their own purposes. ***. For example not all DSSs have an intake function which records the receipt of new requests for a clearance which can also conduct an initial review of applications for completeness. Further one DSS divided security screening requests by client groups while another distributed security screening requests to security screening analysts by employee category. ***.
Departmental Security management has acknowledged the continuing gap in this area and as a recent enhancement to the program, during the reporting phase of this audit the DSB policy centre defined and communicated performance information requirements to the four DSSs. In addition, the policy centre has commenced developing national performance standards and tracking key performance indicators (KPIs) for each component of the departmental security program, including the Departmental Personnel Security Screening program as part of the recently approved DSP.
As a longer term solution, we were informed by DSB that the RCMP Chief Information Officer (CIO) has identified MS Dynamics as the platform for all replacement case management systems. The CIO Branch is currently piloting MS Dynamics within the RCMP ***. DSB has considered alternative interim solutions; however, NARMS is the only interim case management system supported by the CIO.A robust performance reporting framework would better enable management at DSB and the DSSs to set standards, monitor performance, establish service standards, identify opportunities for efficiencies, and make appropriate resource allocation decisions.
3.2 Potential Process Efficiencies
In addition to assessing compliance with the PGS and the standard, an element of the audit objective was to identify potential opportunities and mechanisms to further improve process efficiency without unduly increasing risk to the RCMP. In order to enable a meaningful detailed analysis of the process, we had expected to find the processes and practices amongst DSSs to be consistent and that reliable performance measurement data, including files with sufficient detail to allow for the clear identification of both processing times associated with each step in the screening process and bottlenecks as well as backlog information would be available. As mentioned in the previous section, ***. DSB is aware of these challenges and is taking measures to improve the capture of performance information.
Potential opportunities exist to implement further efficiencies within the security screening process.
Notwithstanding the challenges relating to the reliability and availability of performance data, through our file review and analysis of available program information we were able to identify a number of potential opportunities and mechanisms that could improve the efficiency of the process.
The results of our file reviewFootnote 4 identified on average, Atlantic DSS had quicker processing times for all security clearance types compared with the other three DSS (Appendix C). A key explanation for this as provided by Program staff, was that the field investigations and security interviews in Atlantic are coordinated by the hiring manager prior to sending the file to the DSS, while in the other DSSs the coordination and conduct of field investigations and the security interview are done by security screening program staff as part of the security screening process. With quicker security screening processing times, Atlantic DSS has a reported higher file completion rate per FTE resource compared with the other three DSSs (Figure 2).
For the most part, overall processing times for the Central, Northwest, and Pacific DSSs include time for the conduct of the security interview as well as the queue time waiting for the interview as well as the administration of the interview results, which we were informed by Program staff can be significant.
|Year||Atlantic DSS||Central DSS||Northwest DSS||Pacific DSS||Total||% Change|
The use of the interview as part of the security screening process plays an important part in assessing and corroborating information provided by an applicant. While important, the use of the interview itself is not a mandatory requirement by the standard. The standard requires that a "security questionnaire and/or security interview" be conducted. ***.
In light of a relatively low denial rate, in an effort to improve the efficiency of the security screening process, the RCMP could consider a risk based approach with respect to whether conducting a security interview is necessary i.e. when adverse information is identified during other security screening activities. ***.
Another area that was identified by Program staff as being an internal queue or bottleneck is risk investigations. In the majority of cases when adverse information is uncovered during security screening activities the file is referred to a DSS's Risk Unit for a risk investigation. A risk investigation can involve additional interviews, further law enforcement records checks, and consideration by DSB for the ultimate adjudication of the clearance request which could result in a denial, suspension, or revocation.
***. There is an opportunity within this DSS to enhance process efficiency by moving away from the practice of referring all of its RM recruit files to its risk unit.
Employment and Character Reference Checks
Elements of the field investigation of the security screening process has been identified by Program staff as an internal bottleneck. Through our interviews with Program staff, we've identified that the method of assessing an applicant's employee and character references is not delivered uniformly across the DSSs. We were informed by Program staff that one DSS conducts employment and character reference interviews in-person; this involves local travel and may involve travel outside the geographical area where the field investigator is located. ***. The practice of conducting employment and character references in-person appears to be overly risk averse in relation to overall denial rate. ***.
Law Enforcement Records Checks
The RCMP currently checks up to *** data bases as part of its security screening process. Analysts need to input tombstone information into each of the data bases separately for both the employee and in some cases family and associates, resulting in a somewhat labour intensive and time consuming process.
***. The audit team learned that various proposals have been put forward by DSS employees to reduce the number of data base checks that are conducted for each file, but none have been approved or implemented. DSB is considering the use two database inquiry tools, ***, to increase the timeliness of processing security clearance updates. If these tools are successful in addressing the update backlog, DSB could consider extending the use of these tools for all new and upgrade security clearances. Using a risk-based approach for all security files, DSB could use these two databases inquiry tools and then would only conduct the full spectrum of law enforcement checks if the initial checks through *** identified areas of risk.
Increasing the transferability of security clearances from other departments and agencies
Due to limitations in the information management systems utilized by the program, we were unable to assess the number of security clearance files that related to applicants who already possessed a security clearance obtained through another federal department or agency. However, based on interviews with individuals in the program and other hiring managers within the RCMP, we were informed that the volume of these types of files in the process do not represent an immaterial amount of demand for Program staff. As the reliability and availability of performance data improves, the Program will be in a better position to assess the real demand relating to these types of files.
***, DSB could consider either a reduced level of assessment or a risk-based approach to accepting security clearances from other government departments and agencies. Special consideration could also be given to those departments agencies that are part of the security portfolio.
Backlog of Security Files
The periodic review of an employee's security status is referred to as a security update. As per the standard the security manual, an update is required every 10 years for RRS and secret security clearances, and every five years for top secret security clearances. Updates are a critical insider threat mitigation measure. DSB defines insider threat as the threat from an individual, or group, who: has special knowledge, or access, to critical information or assets in an organization; and has the intent to cause harm, danger, or stand to gain from their privileged position.
The 2011 audit reported that a backlog of security clearance updates existed in most regions. As part of its management action plan, DSB was to consider potential solutions to address these backlogs.
***. During the reporting phase of this audit, DSB reported that all DSSs continue to have a significant backlog of security updates, with smaller backlogs for new and upgrade files. ***. We were informed by DSB officials that backlog information for new and upgrade files was not available for previous years, thereby limiting our ability to assess whether those backlogs were increasing or decreasing.
In addition, as the reliability and availability of performance data relating to backlogs improves, DSB and DSSs will be in a better situation to assess whether a strong business case exits for additional program resources for short term "surge" efforts. By eliminating backlogs, resources dedicated to the program would be able to focus on new files, thereby helping to increase the timeliness of processing.
By taking appropriate and timely action with respect to security clearance backlogs, the RCMP will reduce its risk of *** and will be better positioned to direct its program resources to new security clearance files.
Online Industrial Security Services Portal
DSB is in the process of replacing the existing paper-based information-gathering process with Public Works and Government Services Canada (PWGSC) ***. This application streamlines the form completion process and reduces the need to correct errors or track down missing information. *** has been implemented for Regular Member recruiting, and is being piloted in at the Central DSS for other employee categories.
Other potential process efficiencies
In 2013, following the 2011 internal audit, DSB conducted a business process re-engineering initiative aimed at mapping and measuring the process, and making performance improvements accordingly. The process included onsite consultations with each DSSs where processes were identified, challenges noted, and best practices reported. The benchmarking exercise identified the following bottlenecks:
- Requesting and awaiting missing information from hiring managers and/or applicants;
- Requesting field investigations;
- Awaiting the completion of the field investigation/security interview;
- Awaiting database checks that cannot be conducted by the analyst themselves;
- Awaiting the outcome of risk investigations resulting from the identification of adverse information; and
- Time spent in internal queues awaiting the availability of security analysts.
Given both the lack of detailed performance data for the files sampled during our site visits and the differing practices across the DSSs the audit team was not able to measure and analyze these bottlenecks in any detail. However, through interviews and observation the audit team was able to corroborate that these areas continue to be perceived bottlenecks in the process. As the reliability and availability of performance data improves, the Program will be in a better position to assess the impact of each of these areas on the overall timeliness of the process and any related efficiency enhancement.
DSB has made progress on certain issues identified by IAER's 2011 Audit of Personnel Security. In addition to enhancing the rigour in the screening process and defining and communicating risk tolerances through RCMP's Senior Executive Committee, DSB has identified and implemented a number of process efficiencies and initiated process enhancing initiatives.
***. Improvements in these areas are necessary to further facilitate improvements to the effective and efficient delivery of the security screening program.
***. DSB is aware of these challenges and is taking measures to improve the capture of performance information. Notwithstanding the challenges relating to the ***, through our file review and analysis of available program information we were able to identify a number of potential opportunities and mechanisms that could improve the efficiency of the process.
- The Deputy Commissioner Specialized Policing Services should work with the Senior Executive Committee and Commanding Officers to further define, document, and communicate the authorities of the DSO within the departmental security program and specifically the personnel security screening program.
- The Deputy Commissioner Specialized Policing Services should develop a mechanism to capture complete and accurate personnel security screening program costs to enable informed decision-making relating to determining resource requirements and the strategic reallocation of funds within the program.
- The Deputy Commissioner Specialized Policing Services should develop a performance measurement framework and create a national oversight and monitoring function to ensure the personnel security screening program is meeting its objectives.
- The Deputy Commissioner Specialized Policing Services in collaboration with other departmental security stakeholders should assess the merits and the feasibility of the potential process efficiencies identified in section 3.2 of this report.
Appendix A – Audit objective and criteria
Objective: The objective of this audit engagement was to assess the efficiency and effectiveness of the processes for providing personnel security screening to ensure they are: consistent with the Policy on Government Security and Security Screening Standard; streamlined; and timely.
Criteria 1: The governance framework, funding structure, and oversight mechanisms enable the achievement of departmental security screening objectives and intended results.
Criteria 2: All steps in the security screening process, including the use of appropriate tools, have been reviewed to identify opportunities to improve the efficiency of the process while considering the risks to the organization.
Criteria 3: Policies and procedures governing the personnel security screening process are aligned with the Policy on Government Security and Security Screening Standard and have been consistently applied across the regions
Criteria 4: Appropriate and sufficient performance information is available and is used by management to monitor, report on performance, and facilitate decision-making and resource allocation.
Criteria 5: Service standards have been established and are monitored against client expectations.
Criteria 6: Risk tolerances, with respect to personnel security screening, have been identified and communicated.
Appendix B – Screening process overviewFootnote 5
Appendix C – File review detailed results
- Date modified: