Chapter 1: General introduction

On this page

• 100. Industrial Security Manual
• 101. Policy on Government Security
• 102. Contract Security Program
• 103. Appointment of the company security officer and alternates
• 104. Responsibilities of the company security officer
• 105. Corporate company security officer
• Annexes

100. Industrial Security Manual

1. General

The Industrial Security Manual (ISM) is produced for industry by the Government of Canada’s Canadian Industrial Security Directorate (CISD) and the International Industrial Security Directorate (IISD) at Public Services and Procurement Canada.

2. Scope

This manual is a simple reference which tells company security officers what they must know about Canadian government security standards and procedures and how to ensure that their organization meets these security requirements.

3. Application

This manual prescribes the procedures to be applied by Canadian-based organizations, for the safeguarding of government information and assets, provided to or produced by private organizations and where security is administered by the Contract Security Program of Public Services and Procurement Canada. Procedures are also provided for the same activities related to allied foreign government departments and agencies contracting through, Public Services and Procurement Canada as in the case of multinational ventures where Canada is a partner.

4. Content

This manual is comprised of 12 chapters, each chapter being immediately followed by applicable referenced annexes. A glossary of terms to enhance understanding of the manual and a short list of abbreviations and acronyms are also appended at the end of the manual.

5. Format

Where applicable, chapters deal separately with classified and protected information and assets. Accordingly, the reader need only be concerned with that information which is clearly separated in one security category or the other.

101. Policy on Government Security

General

1. The Policy on Government Security is issued by Treasury Board under authority derived from government decision and Section 7 of the Financial Administration Act.

   The policy objective is to "ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management."

   Federal contracts are subject to the provisions of this policy. Public Services and Procurement Canada is the designated lead department responsible for advice and guidance on security requirements in federal contracts for goods and services.

   The Contract Security Program of Public Services and Procurement Canada ensures the requisite security in the private sector. Specifically, the Director of CISD and the Director of IISD are responsible for ensuring the implementation and subsequent review of all security measures within Canadian-based industries (or other non-government organizations), in those instances where Canadian protected and classified or foreign classified information and assets is disseminated to the private sector, relative to a contract, agreement, or pre-contractual requirement involving Public Services and Procurement Canada.

2. Many agencies assist both CISD and IISD in meeting this responsibility, including the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP), the Department of National Defence (DND) and their counterparts in foreign countries, as well as the Communications Security Establishment (CSE of DND).

102. Contract Security Program

Aim

1. The aim of a security program is to prevent unauthorized disclosure, destruction, removal, modification or interruption of protected and classified information and assets. Achievement of this aim requires an organizational structure and administrative procedures which support four subsystems providing for:
   • physical security (location and design of accommodation and physical measures to prevent, detect and respond to unauthorized access)
   • information technology security (control of access to information used in electronic data processing or communicated electronically)
   • personnel security (personnel screening, education and sanctions)
   • foreign disclosure of information and assets as prescribed in bilateral memorandum of understanding and arrangements
2. Personnel security screening determines the loyalty or reliability of persons for authorized access. These sub-systems are interrelated, so the effectiveness of a security program depends on the performance of all components.
3. The Contract Security Program is organized to provide details of all of the components of a security program in a coordinated manner. Organizations that are granted a designated organization screening (DOS) or a facility security clearance (FSC) under the Contract Security Program shall implement security programs, on an appropriate scale.

Application

The Contract Security Program provides guidance to Canadian industry and other organizations, to ensure the safeguarding of protected and classified information and assets in the custody or under control of private sector contractors or individuals, in order to prevent:

1. a security breach or compromise of such information and assets
2. disruption or destruction of services
3. theft, misuse or abuse of property, which could hinder contract performance and could create a potential compromise of material

Scope

Within the contractor's environment, the Contract Security Program includes security of:

1. contractor's organization
2. protected and classified information and assets released to a contractor
3. goods or material being produced by a contractor under contract
4. protected and classified information and assets during transmission
5. protected and classified information processed electronically at a contractor's facilities
6. the equivalent in non-commercial organizations such as universities

Publicity

Organizations cleared under the Contract Security Program are not to publicize their security status or refer to it in advertising or promotional activities. Information of this nature is to be safeguarded in order to ensure that organizations do not become targets for security infiltration or terrorism activity. Any enquiries received by organizations concerning their security status are to be directed to the CISD. In the case of a prime and subcontractor relationship, a subcontractor may provide to a prime contractor that is registered in the Contract Security Program verification of their organization’s security status as issued by CISD. Subcontractors may obtain written verification of their security status by contacting the Contract Security Program.

103. Appointment of the company security officer and alternates

The appointment of a company security officer (CSO) applies to all organizations that require a designated organization screening or a facility security clearance.

Minimum requirements for the appointment of a company security officer

As a minimum, a CSO must:

1. be a Canadian citizen and an employee of the organization
2. be security screened to the Reliability status level in the case of a designated organization screening
3. be security cleared to the level of the facility security clearance
   • there are exceptions to this requirement for some North Atlantic Treaty Organization (NATO) and some top secret facility security clearances
     • please consult your field industrial security officer for further information
4. report to a designated key senior official (KSO) on all security matters and should be located at the organization's Canadian headquarters to permit personal communication with the KSO on security matters

Appointment of a company security officer

The CSO shall be appointed by the chief executive officer or the designated KSO of the organization. To appoint a CSO, the Public Services and Procurement Canada Annex 1-A: Corporate company security officer/company security officer security appointment and acknowledgement and undertaking form must be submitted to CISD for approval. CISD will not discuss security matters, nor will they release any material to a CSO until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.

Alternate company security officer (to carry out the duties of the company security officer in their absence)

The CSO should designate, from among the organization's appointed alternate company security officers (ACSO), one alternate company security officer to carry out the duties of the CSO in their absence and shall advise CISD of this choice accordingly. This alternate company security officer shall be a Canadian citizen, an employee of the organization and shall be security screened or cleared to the same level as the CSO.

In the event that the CSO terminates employment with the organization, the designated alternate company security officer will assume all responsibilities for industrial security. The organization must appoint a new CSO as soon as possible afterwards using Public Services and Procurement Canada Annex 1-A: Corporate company security officer/company security officer security appointment and acknowledgement and undertaking form. Failure to appoint a new CSO who is security screened or cleared to the appropriate level may result in the suspension of the organization's designated organization screening or facility security clearance.

Minimum requirements for the appointment of additional alternate company security officers

With the exception of a one person organization, it is a mandatory requirement that at least one alternate company security officer be appointed at the organization's facility where the CSO is located, and at least two ACSOs be appointed at each additional facility of the organization where protected or classified information and assets are safeguarded.

As a minimum, the ACSO must:

1. be a Canadian citizen and employee of the organization
2. be screened to the Reliability status level in the case of a designated organization screening
3. be security screened to the Reliability status level in the case of facility security clearance without classified document safeguarding capability
4. be security cleared to the level of the facility security clearance in the case of a facility security clearance with classified document safeguarding capability
   • there are exceptions to this requirement for some NATO and some top secret facility security clearances
     • please consult your field industrial security officer for further information
5. report to the company security officer on all security matters

Appointment of alternate company security officers

The company security officer shall appoint the alternate company security officers of the organization. To appoint an ACSO, the Public Services and Procurement Canada Annex 1-B: Alternate company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. CISD will not discuss security matters, nor will they release any material to an alternate company security officer until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.

104. Responsibilities of the company security officer

1. In relation to a designated organization screening (DOS) or a facility security clearance (FSC), the CSO is responsible for:
   1. identifying those employees who require access to protected and classified information, assets, or protected and classified work sites and ensuring that accurate and complete personnel security screening documentation is submitted for such employees
   2. providing change of circumstance reports for personnel with regard to their security screening status as outlined in this manual
   3. where necessary, arranging resolution of doubt interviews with employees
   4. ensuring that employees receive a security briefing upon notification of having been granted a security clearance or Reliability status by completing the security screening certificate and briefing form
   5. ensuring the security screening certificate and briefing form is submitted in order to terminate the Reliability status or security clearance of those employees who no longer require access to protected and classified information and assets or controlled sites in accordance with contractual requirements
   6. ensuring that only personnel who have been security screened to the appropriate level and who have a need-to-know have access to protected and classified information and assets or controlled sites in accordance with contractual requirements
   7. maintaining a current list of security screened employees in accordance with chapter 2 of this manual
   8. in coordination with client's security representatives, ensuring that employees working at client sites are briefed by the client concerning any relevant security requirements
   9. ensuring that personnel security screening files are safeguarded properly
   10. ensuring the proper completion of requests for visits
   11. in the case of facility security clearances, ensuring that all the organization's key senior officials and CSO and alternates are cleared to the highest level of access required
   12. for designated organization screening, ensuring that all the CSOs and ACSOs are security screened to Reliability status
   13. informing CISD of any changes in the organization's legal status or ownership and in the case of facility security clearances, changes in the list of KSOs
   14. informing CISD prior to any physical move or new construction which could affect the safeguarding of protected and classified information or assets
   15. appointing, briefing and training all alternate company security officers
   16. appointing, from among the appointed alternate company security officers, one officer to be the company security officer in their absence
   17. reviewing the security requirements as defined in the contract security requirements checklist (SRCL) or contract security clauses and ensuring that all security requirements are adhered to
   18. obtaining approval from CISD prior to subcontracting contracts with security requirements
2. In relation to a designated organization screening (DOS) or a facility security clearance (FSC) with document safeguarding capability, the CSO is also responsible for:
   1. preparing Annex 1-C: Security orders and ensuring that all personnel who have access to protected and classified information and assets have been briefed on their security responsibilities through the implementation of an effective security awareness program
   2. appointing, when required, an IT corporate security coordinator and designates
   3. appointing, when required, communication security (COMSEC) and alternate COMSEC custodians in accordance with the Industrial COMSEC Material Control Manual
   4. ensuring that all protected and classified information and assets are safeguarded and handled in accordance with the provisions of this manual
   5. ensuring that company security officer inspections are conducted, at least annually, of all the organization's facilities that hold protected and classified information and assets and that records of these inspections are retained for at least three years
   6. providing, as a minimum, an annual inventory of protected and classified information and assets
   7. ensuring that all security violations are recorded and subsequently investigated
   8. ensuring that CISD is immediately notified of any breach or compromise, and that a written report is submitted to CISD as soon as possible. Investigation of breaches or instances of compromise shall be coordinated by CISD
3. To ensure that security issues are properly addressed and properly coordinated, it is necessary that the CSO be the official contact with CISD. In most cases, the company security officer will bring issues to CISD by contacting the manager of the Industrial Security Operations Division. Communication with CISD, whether written or oral, should be limited to the CSO and any ACSOs or the chief executive officer of the organization.

105. Corporate company security officer

1. When a facility-cleared Canadian parent organization own one or more cleared subsidiaries in Canada, a corporate company security officer (CCSO) should be appointed to oversee government industrial security matters for the entire corporation. The corporate company security officer shall be a Canadian citizen, be employed by the organization and shall report to a designated KSO of the organization on all security matters. The appointment of a corporate company security officer does not replace the requirement to have a company security officer at each cleared subsidiary holding protected and classified information or assets.
2. The CCSO shall be appointed by the chief executive officer or the designated key senior official of the parent organization. To appoint a CCSO, the Public Services and Procurement Canada Annex 1-A: Corporate company security officer/company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. The appointment only becomes official when a completed copy of this form has been returned to the organization.
3. In order that the duties of the CCSO are carried out during their absence from the corporation, and unless it is otherwise agreed to by CISD, the CCSO shall designate one CSO as the alternate CCSO and shall advise CISD accordingly.

Annexes

• Annex 1-A: Corporate company security officer/company security officer security appointment and acknowledgement and undertaking form
• Annex 1-B: Alternate company security officer security appointment and acknowledgement and undertaking form
• Annex 1-C: Security orders