Detailed observations
1. Establish protocols for joint ownership of security policies and monitoring controls (design effectiveness)
Overall rating: Moderate
Observation:
Currently there is no central ownership for the organization in relation to security policies, programs and plans associated with enterprise security risk. The Facilities department manages building security infrastructure for facilities within its budgeted portfolio (not all City facilities; for example, wastewater treatment plants), including key card hardware system, duress/panic alarms, security cameras and intrusion alarms.
a) When it comes to employee health and safety, policies and procedures are centrally maintained and updated with clear joint responsibilities outlined. However, in regards to how security related procedures are managed we noted the following:
● some procedures were outdated (more than 10-15 years old) including visitor log, duress system, emergency blue lights, key/access card; and
● specific policies which were observed in other comparable municipalities not available (Security Video Surveillance Policy and Corporate Security Message Center (CSMC) Policy).
b) While processes exist in some facilities to test security infrastructure, a consistent methodology for performing threat/vulnerability/risk assessments (TRVA) and periodic hardware/infrastructure inspections was not in force at the time of the audit and we understand more formal risk assessments may occur after the master plan is finalized, subject to funding approval. While there is health and safety hazard/risk information gathered from the H&S teams managed by the HR function, the interaction points to share this information with other functions (e.g. facilities) are not clearly defined. Management on site is currently responsible to ensure the work is completed for their site with follow up provided by the JHS committees.
Implication
Security policies and procedures, roles and responsibilities as well as accountabilities and expectations are not sufficient for the security risks present.
Recommendation
a) Management should consider the recommendations made by the third party consultant as it pertains to the central/corporate security division or unit. However in the interim we recommend drafting a policy to provide clarity with respect to joint and individual responsibilities to staff:
- the ownership of security risks should rest with the facilities department when it pertains to managing security infrastructure (cameras, doors, lighting, emergency duress system, key card hardware system, etc.);
- where there is joint responsibility, a policy should be developed articulating the responsibilities by workplace, occupation or services with consideration for assessing risk/hazards, recommending security measures/needs, performing regular testing and reviews; and
- criteria for assigning responsibilities may also need to be developed such as a focus on the department occupying each facility.
Management should consider grouping the properties in the downtown core so they are managed with a more specific focus toward central ownership. This may be accomplished with a Downtown Security Plan, which would incorporate downtown posts including the posts managed via a contracted service provider.
Within the downtown plan, we recommend developing a Security Video Surveillance Policy and CSMC usage procedure for effective communication. New/updated policy/procedure should be communicated to relevant employees on a timely basis.