Directive on Security Management

Aims to achieve efficient, effective and accountable management of security within departments and agencies.
Date modified: 2019-07-01

Supporting tools

Mandatory procedures:

More information


Print-friendly XML
The Directive on Security Management and its Mandatory Procedures took effect on July 1, 2019. It replaced the Directive on Departmental Security Management, as well as the Operational Security Standard - Business Continuity Planning (BCP) Program, the Operational Security Standard on Physical Security, the Operational Security Standard - Readiness Levels for Federal Government Facilities, and the Operational Security Standard: Management of Information Technology Security (MITS).

Appendix G: Mandatory Procedures for Security Event Management Control

G.1 Effective date

  • G.1.1These procedures take effect on July 1, 2019.

G.2 Procedures

  • G.2.1These procedures provide details to support the deputy head accountability.

    The procedures and subsections are as follows:

    Procedure Subsection
    Departmental security event management practices G.2.2
    Security event reporting G.2.3
    Security in emergency and increased threat situations G.2.4
    Administrative investigations of security events G.2.5
    Post-event analysis G.2.6
    Security event records G.2.7
  • G.2.2Departmental security event management practices: Define, document and maintain departmental security event management practices:
    • G.2.2.1Define security event management processes, including responsibilities of all stakeholders, with consideration given to partners (for example, other departments, suppliers and other orders of government) and government-wide processes;
    • G.2.2.2Designate an official departmental contact to support government-wide communications of threats and vulnerabilities, and responses to security incidents and other security events, in accordance with government-wide processes;
    • G.2.2.3Establish resources to support the implementation of security event management processes and to enable secure exchange of relevant information within the department and with other stakeholders;
    • G.2.2.4Implement measures to ensure that security event management processes can be triggered in the event of disruptions that affect their supporting resources;
    • G.2.2.5Coordinate security event management processes with communications plans and with business continuity, emergency management, strike management, and other contingency plans and measures, as applicable; and
    • G.2.2.6Test security event management processes to ensure preparedness and to support continuous process improvement.
  • G.2.3Security event reporting: Assess, document, report and share information related to threats, vulnerabilities, security incidents and other security events, in accordance with departmental and government-wide processes (see Appendix I: Standard on Security Event Reporting):
    • G.2.3.1Ensure that reporting and sharing of information related to threats, vulnerabilities, security incidents and other security events is restricted to authorized users who have been security-screened at the appropriate level and who need to access the information to ensure appropriate preparedness, response or recovery; is effected using mechanisms that provide protection commensurate with the sensitivity of the information and threats to which the information may be exposed; and is conducted within the bounds of applicable legislation, policies or other obligations;
    • G.2.3.2Report security events that affect, or that have the potential to affect, government-wide preparedness, response or recovery, to the appropriate lead security agency or central agency;
    • G.2.3.3Report all suspected criminal activity, including but not limited to theft and breach of trust, to the appropriate law enforcement authority; provide all relevant documents, materials and details; and follow protocols to ensure preservation of evidence and cooperation between the department and law enforcement authorities; and
    • G.2.3.4Inform other departments and stakeholders when there is reason to believe that an event originated from, or could potentially affect, an organization, including internal enterprise service organizations, departments that provide or receive services under agreements or other arrangements, suppliers and other partners.
  • G.2.4Security in emergency and increased threat situations: Define, document and implement processes and measures to achieve and maintain a baseline readiness level, and to enable increased levels of security in the event of an emergency or increased threat situation to prevent or minimize impacts and potential losses:
    • G.2.4.1Apply defined readiness levels based on the level of threat to Government of Canada employees, information, assets or service delivery;
    • G.2.4.2Identify responsibilities for all departmental employees who have responsibilities for implementing readiness processes and measures:
      • G. the departmental contact for security event management as the official liaison for purposes of declaring and applying heightened readiness levels within the department;
    • G.2.4.3Report, without delay, a declaration of a higher readiness level and a return to lower levels of readiness to the Privy Council Office, in accordance with Appendix I: Standard on Security Event Reporting;
    • G.2.4.4Implement changes in readiness level when directed by the Privy Council Office, in response to emergency and increased threat situations that may affect multiple departments, national security and the government as a whole; and
    • G.2.4.5Coordinate readiness processes and measures with security event management processes and business continuity plans and with emergency preparedness and response measures.
  • G.2.5Administrative investigations of security events: Conduct thorough and impartial administrative investigations of security incidents and other security events of significance in a manner that ensures the protection of evidence, respects the rights of individuals, and does not hinder potential civil or criminal proceedings:
    • G.2.5.1Define practices for the conduct of administrative investigations of security events;
    • G.2.5.2Inform parties who are involved in administrative investigations of security events of their rights and obligations; and
    • G.2.5.3Conduct administrative investigations of security events independently of, and without any specific intent to advance, a criminal investigation in order to avoid compromising such investigations.
  • G.2.6Post-event analysis: Conduct analysis following security incidents and other security events of significance, to enable the application of corrective actions and to support process improvement:
    • G.2.6.1Communicate results of post-event analysis to the appropriate lead security agency or central agency, as applicable and based on the severity and scope of the event.
  • G.2.7Security event records: Maintain thorough records on all security incidents and other security events of significance, including identification of the programs, services, activities and resources affected; an assessment of the severity and scope of the impacts (degree of injury); findings of administrative investigations; and the results of post-event analysis:
    • G.2.7.1Apply protective measures to ensure that access to security event records is restricted to security officials and other authorized users, to maintain the integrity of these records.
Date modified: