Developing a security plan for controlled goods

Registrants in the Controlled Goods Program must develop a security plan for every work site where controlled goods are examined, possessed or transferred.

What is in a security plan

The security plan must include the following information:

• procedures to control the examination, possession and transfer of controlled goods
• procedures for reporting and investigating security breaches
• descriptions of the responsibilities of the security organization, and identification of individuals responsible for the security of controlled goods
• contents of training programs given to officers, directors, employees, temporary workers and international students
• contents of security briefings given to visitors

How to develop a security plan

The following steps are best practices designed to help you develop a security plan:

• Step 1: Prepare a plan
• Step 2: Responsibility of the plan
• Step 3: Reviewing and approval
• Step 4: Implementation
• Step 5: Monitoring

Step 1: Prepare a plan

This is a guide to preparing your own security plan only, and should not be used as a template. Your plan should:

• reflect the specifics of your organization and the type of controlled goods being examined, possessed or transferred at your worksite
• comply with the security requirements documented in the Defence Production Act and the Controlled Goods Regulations

For more information on preparing a security plan:

• Contact the Controlled Goods Program

Complete the following information for each site where you keep controlled goods:

Person’s name and site address

• Security organization
• The following people, on behalf of the registered person, will be responsible for the security of controlled goods and/or controlled technical data at (insert person's name):
  • Mr./Ms. (insert name) is the authorized individual
  • Mr./Ms. (insert name) is the designated official
  • Mr./Ms. (insert name), title (for every employee associated to a responsibility in this security plan)

Responsibilities of the security organization

The responsibilities of the individuals listed above are as follows:

• The authorized individual, on behalf of the registered person, will be responsible for:
  • ensuring that a designated official is appointed for each place of business in Canada where controlled goods and/or controlled technical data are examined, possessed or transferred
  • signing to approve any changes in any of the information contained in the application for registration
• The designated official, on behalf of the registered person, will be responsible for the following:
  • keep records of the most recent security assessment in respect of each of their officers, directors, employees, temporary workers, international students and visitors who examine, possess or transfer controlled goods and maintain those records, as well as supporting documentation, for a period of two years after the day on which the individual in question ceases to act in that capacity
  • for each officer, director and employee of the registered person who requires access to controlled goods and/or controlled technical data:
    • conduct, at least once every five years and with consent, a security assessment in accordance with section 15 of the Controlled Goods Regulations
    • determine, on the basis of a security assessment, the extent to which the individual concerned poses a risk for transferring controlled goods and/or controlled technical data to any person who is not registered or exempt from registration
    • request that the Minister conduct a security assessment in respect of high-risk individuals and provide to the Minister, for the purpose of carrying out that assessment, all information and evidence obtained by the designated official
    • consider any recommendation provided by the Minister
    • decide the extent to which the registered person should authorize the individual to examine, possess or transfer controlled goods and/or controlled technical data
  • verify the information provided to them by temporary workers, international students and visitors for the purpose of applications for exemption and submitting the applications for exemptions to the Minister
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to keep and maintain, during the period of registration and for a period of five years after the day on which the person ceases to be registered, records that contain:
  • a description of any controlled goods and/or controlled technical data received by the person, the date of their receipt and an identification of the person from whom they were transferred
  • a description of any controlled goods and/or controlled technical data transferred by the person, the date of their transfer and the identity and address of the person to whom they were transferred
  • a description of the manner and date of disposition of the controlled goods and/or controlled technical data
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to keep a copy of the evidence referred to in subsection 16(2) of the Controlled Goods Regulations for a period of two years after the day on which the individual who is exempt ceases to have access to the controlled goods and/or controlled technical data of the registered person
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to establish and implement a security plan for each place of business in Canada where the registered person keeps controlled goods and/or controlled technical data
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to provide training with respect to the secure handling of controlled goods and/or controlled technical data for officers, directors, employees, temporary workers and international students who are authorized to possess or examine those goods
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the person, submit to the Minister, every six months, the name of each individual in respect of whom the designated official conducted a security assessment during the previous six months, as well as the individual’s date of birth and an indication of the extent to which they were authorized to access controlled goods
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to provide briefings with respect to the secure handling of controlled goods and/or controlled technical data by visitors who are authorized to examine those goods
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to collect:
  • evidence of the individual's status as a director, an officer or an employee of the person registered to access controlled goods and/or controlled technical data under the International Traffic in Arms Regulations and Title 22, Parts 120 to 130 of the Code of Federal Regulations (Confirmation that the individual is employed by that person)
  • evidence of the registration and eligibility of that person under the International Traffic in Arms Regulations
  • evidence of the eligibility of the individual under the International Traffic in Arms Regulations
• Mr./Ms. (insert name of employee) will be responsible, on behalf of the registered person, to inform the program, within ten business days, of any change of information contained in the application for registration

Procedures to monitor controlled goods

A brief statement outlining the registrant’s involvement with controlled goods, for example, “this company manufactures unpiloted air vehicles for the Department of National Defence and the Canadian Forces.”

• Examine means to consider in detail or subject to an analysis in order to discover essential features or meaning
• Possess means either actual possession, where the person has direct physical control over a controlled good at a given time, or constructive possession, where the person has the power and the intention at a given time to exercise control over a controlled good either directly or through another person or persons
• Transfer means, with respect to a controlled good, to dispose of it or disclose its content in any manner

In order to control the examination, possession and transfer of controlled goods and controlled technical data at (insert registered person's name), the following procedures have been implemented:

• This section, using a list in bullet format, should explain the registered organization's procedures for handling controlled goods during its bidding process and its entire life cycle—from the time a controlled good is first received, while in possession of the company (including the design and production process if applicable), until its final disposition (transfer or disposal). This would include controlled goods in all formats including, but not limited to: electronic data, technical schematics and physical goods. This should also include details of securing the goods while in the company's possession

Information technology: Remote access

• Remote access refers to communication with a data processing facility or server from a remote location through a data link. One of the more common methods of providing this type of remote access is using a virtual private network (VPN)

In order to control and protect controlled goods information, a minimum standard of information technology (IT) security must be exercised. The most accepted practices involve the use of a wide area network (WAN) dedicated to the company or a VPN, which allows secure access to corporate resources by establishing an encrypted tunnel across the Internet.

If a company permits remote access to controlled goods information by its personnel or another entity, which is registered/exempt from registration in the Controlled Goods Program, it should consider the following:

• requests for remote access should be reviewed by the designated official (or their delegated) prior to approval
• remote access should only be granted when required
• standard operating procedures detailing the security practices required by those persons granted remote access should be provided
• the company must employ an acceptable form of IT security/encryption (for example, VPN, WAN) in order to minimize the risk of unauthorized transfer of controlled goods information

In order to minimize the risk of unauthorized examination, possession or transfer of controlled goods or controlled technical data via remote access, the following procedures are to be followed:

• insert list of procedures to be followed by all employees

Breaches: Investigating and reporting

Security breaches are categorized as the unauthorized examination, possession or transfer of controlled goods. Examples of security breaches are: loss, willful damage, tampering and computer hacking or cyber attack. As a condition of registration under the Controlled Goods Regulations (insert registered person's name) must:

• report the security breach to the local police, if it is criminal in nature
• advise the Controlled Goods Program, within three days upon discovery of a potential security breach in relation to controlled goods and/or controlled technology by filling out the security breach report form
• determine the answers to the following questions and initiate these steps (modify as required or add steps as deemed necessary) to identify the cause and prevent reoccurrence:
  • who was involved
  • what controlled goods were involved
  • where did the breach take place
  • when did the breach occur
  • why did it occur
  • how did it occur
  • document the security breach
  • implement corrective measures to ensure similar security breaches do not occur in the future

Download the security breach report form

• Security breach report form

Submit the security breach report form

• Contact the Controlled Goods Program

More information

• Reporting a security breach involving controlled goods

Training

In order to maintain the person's awareness of controlled goods and/or controlled technical data, the officers, directors, employees, temporary workers and international students will be required to:

• read the security plan on an annual basis
• insert the list of any additional training that would be pertinent to the person, such as orientation training

Security briefings

Visitors who have not received an exemption from the Controlled Goods Program will be informed that they will not be allowed to examine, possess or transfer controlled goods in the course of their visit.

Visitors who have received an exemption from the program will be reminded through (insert information that identifies the means of communication used by the registered person and list person's security issues, such as a confidentiality clause.)

Step 2: Responsibility of the plan

The registered person is responsible for establishing, implementing and maintaining the security plan.

Step 3: Reviewing and approval

The reviewing and approval of the security plan is the registered person's responsibility.

Step 4: Implementation

Establish target dates and put the plan into action. Make security both proactive and reactive. Officers, directors, employees, temporary workers, international students and visitors should only examine, possess or transfer controlled goods when it is necessary in order to perform their duties.

Step 5: Monitoring

Monitor the progress of implementing and reassessing the plan as needed. Look for opportunities to improve the plan and securities, especially if upgrading systems and software and expanding the capabilities of the local area network and/or the data risk changes. The process is ongoing and the registered person needs to continually reassess the situation as the internal and external environment changes.

It is important that the registered person works closely with technical staff and provides guidance to them, when necessary, to ensure the completion of the security plan.

More information

• Establishing and maintaining a security plan: Guideline on Controlled Goods Program registration