Skip to content | Skip to institutional links

Common menu bar links

Institutional links

Proactive Disclosure

Government

BASCS Guidance

Security Function Model

Introduction
Links to Relevant Security Policies and Legislation
Security Function Business Process Model
Security Sub-function Business Process Model
Security Function Draft Classification Model
Legislative and Government Policy Requirements for BASCS Security Draft Classification Model
Sample Conversion Plans for Security Records

Introduction

This section covers the Security Function, sub-functions, processes, activities, and transactions of common administrative business, commonly conducted in and across all government institutions to facilitate the delivery of programmes and services.

Links to relevant Security policies and legislation

The Security function has been modeled according to specific policies, legislations or documents related to Security within the Government of Canada, in addition to a number of common laws, policies and publications that relate to all common administrative functions addressed within this BASCS Guide.

Common legislation:

Common Treasury Board Secretariat policies and publications:

A search for other links to policies that may relate to the Management of Information Technology function can be undertaken by accessing the Treasury Board website, while links to related legislation can be further researched on the Justice Canada website.

Security Function Business Process Model

According to our research and consultation process, we have identified a number of sequential sub-functions within the Security business process model. These sub-functions, shown in black text in the diagram below, provide a foundation for BASCS classifications related to the Security function.

Security Function Business Process Model

Security Function Draft Classification Model

This model records classification structure addresses the Security function, the steps in the business process developed to fulfill the function (i.e., sub-functions), the activities associated with each of these sub-functions, and the transactions of administrative business concerning security within the federal government -- as commonly conducted in and across all government institutions to support the national interest and Government of Canada's business objectives by safeguarding employees and assets, and by assuring the continued delivery of services.

It is important to note that the sub-functions and activities identified by this model address the business process of the Security Function as a whole, and which take into account application and integration of certain specific elements of security designed to fulfil the requirements of the Government Security Policy. These elements include: Security in Contracting; Security Training, Awareness and Briefings; Identification of Assets; Access Limitations; Security Screening; Protection of Employees; Physical Security; Information Technology Security; Security in Emergency and Increased Threat Situations; Business Continuity Planning; and Investigation of Security Incidents.

The four sub-functions of Security are:

Security - Policy Implementation
Security - Security Risk Management
Security - Application & Integration
Security - Review of Activities

As a business process, these sub-functions are arranged in the following sequence:

SECURITY FUNCTION

PRIMARY NUMBERS AND SUB-FUNCTIONS

X.0 Security - Comprehensive Matters

X.1 Security - Policy Implementation

X.2 Security - Security Risk Management

X.3 Security - Application, Integration

X.4 Security - Review (of activities)

Note: the numeric coding system presented in this draft model classification structure is used for example purposes only. As of the date of this model, LAC has made no final decisions regarding the application of a standard coding system (including delimiters) to complement classification structures for common administrative records.

X.0 SECURITY - COMPREHENSIVE MATTERS

The Security - Comprehensive Matters record grouping is reserved for records of activities and transactions that relate to, or affect, in a comprehensive manner, the Security function or the business process developed to fulfil that function (i.e., this record grouping is reserved for records of activities and transactions that relate to or affect all or most sub-functions of the Security business process).

Examples of such activities and/or transactions are:

developing, applying, monitoring and/or evaluating policies, guidelines, systems, procedures, etc., that address or encompass all or most aspects of the Security function and/or business process (examples of record types include draft and approved policies, guidelines, procedures, draft and final requirements definitions for security information technology systems¹, and requirements definitions for comprehensive security learning programs²);

group activities and initiatives (e.g., those of committees, project teams, delegations, etc.) that focus on all or most aspects of the Security function and/or business process (examples of record types include committee and/or work group meeting agenda and minutes, records of decisions, issue logs);

liaison activities that address or encompass all or most aspects of the Security function and/or business process (examples of record types include documents of inter-organizational information sessions and/or collaborative initiatives);

reporting activities that address or encompass all or most aspects of the Security function and/or business process (examples of record types include draft and final reports addressing the overall security function and/or business process).

¹ Note: for records of activities relating to information technology systems, see the model records classification structure developed for the Management of Information Technology function.

² Note: for records of activities relating to the delivery of learning programs, see the model records classification structure developed for the Human Resources Management function.

Note: records of activities and/or transactions that related to specific sub-functions of the Security business process (i.e., policy implementation, security risk management, application and integration, and review of activities) should be classified to those sections of this classification scheme. Records that simultaneously address two or more, but not all, sub-functions of the business process should be classified to one of those sub-functions and the existence of these records should be noted in the descriptions of the related sub-function, activity, and/or transaction records groupings or, if appropriate, in the profiles of related individual documents (as a metadata 'cross-reference' element).

Example information groupings for: Security - Comprehensive Matters

X.0-0 Security - Comprehensive Matters - Policy Matters (reserved for records related to developing, applying, monitoring and/or evaluating policies that simultaneously addresses all or most sub-functions of the Security function)

X.0-1 Security - Comprehensive Matters - General Matters (reserved for records related to Security - Comprehensive Matters record grouping but for which no specific file or file groups has been created)

X.0-2 Security - Comprehensive Matters - [Department/Sector/Branch] Security Committee (reserved for records related to the deliberations of the [department/sector/branch] Security Committee)

X.0-3 Security - Comprehensive Matters - Liaison Activities (reserved for records related to internal or external relations on a spectrum of issues and/or initiatives that encompass all or most aspects of the Security function)

X.0-4 Security - Comprehensive Matters - Reporting Activities (reserved for records related to the activity of reporting to management on department/sector/branch security matters of a comprehensive nature)

Top of Page

[back to Security Function - Primary Numbers and Sub-functions]

X.1 SECURITY - POLICY IMPLEMENTATION

This sub-function record grouping is reserved for records of activities and transactions that relate to or affect, in a specific manner, the process of identifying and assessing all policy framework requirements (i.e., as documented in the Government Security Policy and all applicable policy instruments referenced by the GSP, as well as other policy related instruments external to the Government of Canada) in relation to institutional security needs and objectives, and developing and establishing the internal security policy framework that acts as the source of direction, guidance, standards, advice, etc., governing the integrated departmental security program.

Activities associated with the Security - Policy Implementation sub-function may have a sequential relationship as follows:

'Security - Policy Implementation' entails the activities of:

assessing external policy requirements in relation to internal security needs and objectives;

developing an internal security policy framework to address all applicable requirements and to meet departmental security needs and objectives (note: this framework acts as the source of direction, guidance, standards, advice, etc., governing the internal integrated departmental security program);

implementing an approved departmental security policy framework; and

reviewing the departmental security policy framework to ensure that it continues to meet institutional security needs and objectives, and that it reflects current policy requirements.

Example information groupings for: Security - Policy Implementation

X.1-0 Security - Policy Implementation - Policy Matters (reserved for records related to developing, applying, monitoring, and/or evaluating policies that address the 'policy implementation' sub-function of the Security function)

X.1-1 Security - Policy Implementation - General Matters (reserved for records related to the Security - Policy Implementation sub-function record grouping but for which no specific file or file grouping has been created)

X.1-2 Security - Policy Implementation - Government Policy Implementation Process (reserved for records related to the Government of Canada and institution-specific policy implementation processes that have security - policy implementation implications)

X.1-3 Security - Policy Implementation - Policy Implementation Committee (reserved for records related to the deliberations of a [departmental/sector/branch] security policy implementation committee)

X.1-4 Security - Policy Implementation - Assess (reserved for records related to identifying and assessing all external policy framework requirements - as identified in the Government Security Policy and all applicable policy instruments referenced by the GSP, as well as other relevant policy instruments external to the Government of Canada - in relation to internal security needs and objectives)

X.1-5 Security - Policy Implementation - Develop (reserved for records related to developing an internal security policy framework that addresses all applicable requirements and meets departmental security needs and objectives, and which acts as the source of direction, guidance, standards, advice, etc., governing the integrated departmental security program)

X.1-6 Implement - Policy Implementation - Cost (reserved for records related to implementing the internal security policy framework governing the integrated departmental security program by obtaining the approval of senior management and appropriate action by all departmental security program participants)

X.1-7 Security - Policy Implementation - Review (reserved for records related to the periodic review of the internal security policy framework to ensure that institutional security needs and objectives continue to be met, and to ensure that the departmental security program is based on the most current legislated policy instruments, operational standards and technical documentation)

Top of Page

[back to Security Function - Primary Numbers and Sub-functions]

X.2 SECURITY - SECURITY RISK MANAGEMENT

This sub-function record grouping is reserved for records of activities and transactions that relate to or affect, in a specific manner, the process for achieving the proper balance between business and security requirements. This process depends on security experts identifying the acceptable level of residual risk to the appropriate authority or senior manager. Security Risk Management entails performing Threat & Risk Assessments (TRA); the development and implementation of appropriate safeguards - based on the integrated assessments of threats and risks to the national interest and to government employees and assets; the continuous monitoring of the threat environment; and making adjustments as necessary to maintain an acceptable level of risk. Activities associated with the Security - Security Risk Management sub-function may have a sequential relationship as follows:

'Security - Security Risk Management' entails the activities of:

Threat & Risk Assessment

Implementation of Safeguards

Monitor & Adjust

Example information groupings for: Security - Security Risk Management

X.2-0 Security - Security Risk Management - Policy Matters (reserved for records related to developing, applying, monitoring, and/or evaluating policies that address the 'security risk management' sub-function of the Security function)

X.2-1 Security - Security Risk Management - General Matters (reserved for records related to the Security - Security Risk Management sub-function record grouping but for which no specific file or file grouping has been created)

X.2-2 Security - Security Risk Management - Government Risk Management Process (reserved for records related to the Government of Canada and institution-specific risk management processes that have 'security - risk management' implications)

X.2-3 Security - Security Risk Management - Security Risk Management Committee (reserved for records related to the deliberations of a [departmental/sector/branch] security risk management committee)

X.2-4 Security - Security Risk Management - Assess (threats & risks) (reserved for records related to assessing threats and risks for the purpose of determining the nature and necessity of safeguards - at or beyond baseline levels. This includes: establishing the scope of Threat and Risk Assessments (TRA) - by identifying the employees and/or assets to be safeguarded; determining the threats to employees and/or assets; assessing the likelihood and impact of threat occurrence; assessing the nature and level of risk based on the adequacy of existing safeguards and vulnerabilities; and determining the appropriate safeguards and standards to be implemented)

X.2-5 Security - Security Risk Management - Implement (safeguards) (reserved for records related to implementing appropriate safeguards and standards to reduce the risk of threat to an acceptable level, as well as confirming the appropriateness of minimum safeguards and standards, and supplementing them where necessary)

X.2-6 Security - Security Risk Management - Monitor, Adjust (reserved for records related to monitoring for any change in the threat environment and making any adjustments to safeguards and standards that would be necessary to maintain an acceptable level of risk, and an appropriate balance between operational needs and security)

Top of Page

[back to Security Function - Primary Numbers and Sub-functions]

X.3 SECURITY - APPLICATION, INTEGRATION

This sub-function record grouping is reserved for records of activities and transactions that relate to or affect, in a specific manner, the process of applying safeguards (and related systems and procedures) in an integrated fashion that can protect, detect, respond to and recover from an unwanted event. This includes integrating all elements of the security program (such as Security in Contracting; Security Training, Awareness and Briefings; Identification of Assets; Access Limitations; Security Screening; Protection of Employees; Physical Security; Information Technology Security; Security in Emergency and Increased Threat Situations; Business Continuity Planning; and Investigation of Security Incidents) within the departmental framework for all business lines, in complement with other government measures on the management of emergency situations such as fire, bomb threats, hazardous materials, power failures, evacuations and civil emergencies. Activities associated with the Security - Application & Integration sub-function may have a sequential relationship as follows:

'Security - Application & Integration' entails the activities of:

Planning

Coordinating

Implementing

Monitoring

Example information groupings for: Security - Application, Integration

X.3-0 Security - Application, Integration - Policy Matters (reserved for records related to developing, applying, monitoring, and/or evaluating policies that address the 'application, integration' sub-function of the Security function)

X.3-1 Security - Application, Integration - General Matters (reserved for records related to the Security - Application, Integration sub-function record grouping but for which no specific file or file grouping has been created)

X.3-2 Security - Application, Integration - Government Application, Integration Process (reserved for records related to the Government of Canada and institution-specific application, integration processes that have security - application, integration implications)

X.3-3 Security - Application, Integration - Application, Integration Committee (reserved for records related to the deliberations of a [departmental/sector/branch] security application, integration committee)

X.3-4 Security - Application, Integration - Plan (reserved for records related to the determination of safeguards, elements, methods, applications, processes and procedures, roles and responsibilities, priorities, resources, etc. required to apply and integrate all of the requirements of the departmental security program within the departmental business framework)

X.3-5 Security - Application, Integration - Coordinate (reserved for records related to the coordination of the application and integration of interdependent safeguards and security elements within the departmental business framework, including establishing internal and/or external linkages, working relationships and arrangements with various administrative functions, security specialists, and other GC departments and security service networks)

X.3-6 Security - Application, Integration - Implement (reserved for records related to the implementation of interdependent safeguards and integrated security elements within the departmental business framework by applying the methods, applications, processes and procedures, roles and responsibilities, resources, etc. designed to meet departmental security objectives)

X.3-5 Security - Application, Integration - Monitor (reserved for records related to the monitoring of the performance and effectiveness of all measures designed to apply and integrate interdependent safeguards and security elements within the departmental business framework and making adjustments as necessary)

Top of Page

[back to Security Function - Primary Numbers and Sub-functions]

X.4 SECURITY - REVIEW

This sub-function record grouping is reserved for records of activities and transactions that relate to or affect the monitoring and evaluation of the effectiveness of the integrated security program and appropriate reporting so that necessary changes and modifications can be implemented. Activities associated with the Security - Review of Activities sub-function may have a sequential relationship as follows:

'Security - Review of Activities' entails the activities of:

Monitoring

Evaluating

Reporting

Modifying

Example information groupings for: Security - Review

X.4-0 Security - Review - Policy Matters (reserved for records related to developing, applying, monitoring, and/or evaluating policies that address the 'review' sub-function of the Security function)

X.4-1 Security - Review - General Matters (reserved for records related to the Security - Review sub-function record grouping but for which no specific file or file grouping has been created)

X.4-2 Security - Review - Government Security Review Process (reserved for records related to the Government of Canada and institution-specific review processes that have security - review implications)

X.4-3 Security - Review - Policy Implementation Committee (reserved for records related to the deliberations of a [departmental/sector/branch] security review committee)

X.4-4 Security - Review - Monitor (reserved for records related to monitoring or auditing the departmental security program)

X.4-5 Security - Review - Evaluate (reserved for records related to evaluating the findings of activities to monitor or audit the departmental security program)

X.4-6 Security - Review - Report (reserved for records related to reporting the results of evaluations of the departmental security program, including details of assessments and related recommendations, to respective stakeholders including Treasury Board of Canada Secretariat)

X.4-7 Security - Review - Modify (reserved for records related to modifying the departmental security program or any of its elements, based on recommendations adopted or accepted by the appropriate authorities)

[back to Security Function - Primary Numbers and Sub-functions]

Legislative and Government Policy Requirements for BASCS Security Draft Classification Model

Click here to check the status of the legislative and government policy requirements for BASCS Security draft classification model.

Sample Conversion Plans for Security Records

SSample conversion plans for Security records will be appended as they become available. Click here to check the status of sample conversion plans.

Return to BASCS Guidance Home Page