Base Building Security/Base Building Security Standard
- 1 Base Building Security Standard
- 1.1 1. Effective date:
- 1.2 2. Authority
- 1.3 3. Context
- 1.4 4. Scope
- 1.5 5. Purpose
- 1.6 6. Details
- 1.7 7. Definitions
- 1.8 8. References
- 1.9 9. Attachments
- 1.10 10. Enquiries
Base Building Security Standard
French: la Norme de sécurité de l'immeuble de base
1. Effective date:
October 31, 2018
This standard is to be read in conjunction with the Treasury Board (TB) Policy on Government Security, the PSPC Departmental Security Program (051) policy, and the TB Operational Security Standard on Physical Security.
Real Property Services is identified as a lead security agency within the Treasury Board Policy on Government Security. Specifically, RPS is responsible for providing services related to base building security with respect to the PSPC Real Property Program.
This standard applies to all buildings and assets where PSPC has a custodial or ownership responsibility. This includes Crown-owned and leased assets, multi-tenant buildings, and other PSPC assets such as, but not limited to, bridges, dams, heating plants, and PSPC-controlled underground infrastructure such as underground utilities, transportation, or waste disposal.
This standard ensures the uniform and efficient implementation of base building security in all PSPC custodial, leased, and engineering assets (specific to bridges and dams), as well as infrastructure assets (including, but not limited to, heating plants and underground plumbing and hydro connections), in accordance with the minimum standards set out in applicable policies, codes and regulations. The purpose of this standard is to ensure common base building security practices across the national portfolio and ensure the common implementation of base building threat and risk assessments. This standard will be reviewed every two years to ensure that it remains up to date, and reflects the most current security posture of the Department.
Base building security
RPS, PSPC provides its clients with base building security services (protection of the asset infrastructure, including structural, mechanical, electrical, and architectural) and must develop and implement risk-based security in its portfolio.
Base building security is made up of both mandatory and risk-based security controls. Mandatory controls are outlined in Annex A of this standard.
As a primary function, base building security must:
- apply approaches to mitigate the impact to the building that arise from criminal and unauthorized activity, in order to maintain the integrity, functioning and value of the building asset, including its structure and its systems;
- apply controls to deter criminal and unauthorized activity on all custodial property in public zones, areas, and property under the responsibility of PSPC and not under a client occupancy instrument;
- apply controls to mitigate the impact of threats and risks to custodial assets arising from environmental conditions, climate change, and geographic location;
- monitor and protect PSPC owned and leased assets to support the continuity of government operations;
- establish an environment of continual operational readiness in support of business continuity plans;
- provide adequate detection and response capacity to respond to known or foreseeable threats to the crown owned and leased asset;
- support Government of Canada security requirements for real property, including appropriate security and emergency plans and arrangements in the event of increased threat or readiness situations;
- support other emergency plans and arrangements as prescribed by Government of Canada policies, directives, standards and lead agency responsibilities in the TB Policy on Government Security; and
- support the timely implementation of reasonable and risk-based additional tenant-funded security measures, as indicated in the client threat and risk assessment.
Hours of operation covered by this standard are the hours included in the occupancy instrument, and include only those measures required by the base building threat and risk assessment and other governing legislation. Additional requirements outside the base building threat and risk assessment and the occupancy-instrument-specified hours are not considered to be covered under base building.
Base building threat and risk assessment
Standard base building security controls and tenant-funded enhancements for base building areas are identified primarily by base building threat and risk assessments which must be undertaken for all real property assets. Threat and risk assessment (TRA) processes are outlined in Annex B. New assets or renovations require a site security brief and/or a security design brief at the inception phase.
Security requirements for tenant space, including transition space and other tenant-funded enhancements, are provided to RPS by the tenant department in a threat and risk assessment and/or a security design brief. These tenant costs are assessed as outlined in Annex C.
As a minimum, base building threat and risk assessments will identify and recommend physical security controls, as well as guard services, and/or other monitoring activities and procedures for the general protection of a custodial asset. Controls must facilitate appropriate detection and response on a 24/7 basis unless otherwise specified by a threat and risk assessment.
Base building threat and risk assessments, site security briefs, and design briefs must follow a prescribed format developed and updated by RPS’s Property and Facility Management service line to provide a common approach, and to support risk-based security management of all PSPC owned and leased assets.
Base building threat and risk assessments must be conducted on a five-year cycle or when:
- There is a possible change in the threat environment identified locally, by RPS, the departmental security officer (DSO), or the tenant;
- There are changes in tenant departments or their operations, and the existing threat and risk assessment is no longer applicable due to an increased threat profile;
- There are plans to integrate new technology or systems within the facility that may impact the physical security risks in the environment; or
- There is a change in status of the building or a significant renovation planned.
At the initial phases of selection, design, and procurement of custodial assets, a current threat and risk assessment, or a base building threat and risk assessment, must be available and, if required, a site survey (site brief) must be conducted. It should be noted that an assessment of risk is required prior to the implementation of security controls.
Building assets must be categorized by their attributes and the security risks associated with the building operations. The Property and Facility Management service line maintains a profile of all custodian facilities, and acts as the central repository for such information. Annex D gives further information on the categorization of buildings.
The Property and Facility Management service line must be engaged directly in all circumstances where infrastructure has a high asset value, is located in heightened security environments, has a high symbolic value, or houses critical services. The Property and Facility Management service line obtains, reviews and assesses threats and other data from the Government of Canada and other closed sources. Consequently, all base building threat and risk assessments and surveys completed at the local level must be submitted to the Property and Facility Management service line for review. The Property and Facility Management service line will return, as appropriate, recommendations for the inclusion of additional controls to mitigate risks impacting PSPC custodial facilities as a result of the tenant’s operations or sensitive assets to be located at the site.
Transition areas such as loading docks and reception zones must be adequately established and be appropriate to operations. Where possible, a building’s physical attributes are to be considered in security planning.
Security enhancements to support access control into tenant space, either in a reception zone, mail room, loading area or other access point, is a tenant-funded enhancement.
In a multi-tenant building, the Property and Facility Management service line works with the responsible building authority on building-wide security issues. The responsible building authority is accountable for ensuring action is taken to ensure the overall security of the building, adhering to the base building minimums, and resolving tenant level issues.
Monitoring and compliance
Compliance with this standard is mandatory. Compliance will be monitored and reported on through the base building security program, which performs a national oversight and quality monitoring role, and includes:
- continuous auditing throughout the life cycle of base building security for buildings, with appropriate reporting, by using base-building-security-tailored audit tools;
- preparation of an annual report on base building security;
- annual reporting on the status of implementation of threat and risk assessment recommendations;
- completion of base building threat and risk assessments as part of the Building Management Plan (BMP) National Call Letter.
Base building (immeuble de base)
All elements related to the construction of, and systems required for, the services and functions of a building. This includes structural elements, building exterior (roof, windows, cladding, exterior doors, etc.), electrical, heating, ventilation and air conditioning (HVAC), conveying systems, interior finishes in common areas, fire and life safety systems, and building controls. Excluded from the definition of base building are internal elements related to tenant mandate or improvements/fit-up such as finishes and construction within a tenant space.
Base building security as defined in Treasury Board’s Operational Security Standard on Physical Security (sécurité de l’immeuble de base selon la Norme opérationnelle sur la sécurité matérielle du Conseil du Trésor)
Security safeguards provided by the custodian department to protect a facility but not the assets contained in the building. Basic building security provides a base or starting point for other security requirements (i.e. minimum and enhanced safeguards) to be added to protect the specific assets held by the institution.
Base building security controls (contrôles de sécurité de l’immeuble de base)
Security safeguards, either physical or procedural, designed to protect the custodial asset and to render an environment suitable to house general Government of Canada operations. They consider the value and symbolism of the asset, but are limited to providing security that assures general protection of the asset, deters crime and unauthorized activity, and provides a reasonable expectation of security to persons and property on or in base building areas of responsibility. They do not include security controls required by virtue of the tenant operations or associated safeguards.
Base building security risk matrix (matrice des risques en matière de sécurité de l’immeuble de base)
A security risk management methodology applied to the information received during a base building threat and risk assessment. It is designed to categorize assets, and identify factors potentially related to heightened risk to the custodial assets as a result of tenant operations, or other factors causing risk. In the selection of tenants for a building, the matrix assists in aligning tenant security requirements with a building’s attributes to maximize the ability to implement appropriate security controls, and minimize costly security upgrades.
Base building threat and risk assessment (évaluation de la menace et des risques pour l’immeuble de base)
A standard document that prescribes how to conduct threat and risk assessments specifically designed for base building, that support the protection of custodial assets and the implementation of this standard. It includes physical security checklists, and a list of documents and standardized questions to be submitted to the Property and Facility Management service line as part of evidence-based security risk management.
Climate change adaptation (adaptation aux changements climatiques)
Security adjustments made by the Department in order to deal with the effect of potential climate change, given the increased risk of occurrence of natural disasters, rising global temperature, and increased precipitation. Current risks related to building security include increased risk of floods, weather events that exceed current building design standards to mitigate, extended periods of heat overcoming current HVAC or causing foundation instability, and interruptions to municipal services such as water and power.
Collateral threats (menace collatérale)
Threats to the persons, assets, or facilities that are the result of a facility’s proximity to infrastructure or areas that are under higher threat, and where the impact of attacks against that infrastructure may adversely impact it.
Consequential threats (menace indirecte)
Threats to the persons, assets, or facilities that are the result of any involvement by another organization present in the building with other groups or issues.
Custodial facilities (installations dont le Ministère a la garde)
All real property assets (buildings, infrastructure, and land) where the Minister of Public Services and Procurement Canada, under the Federal Real Property and Federal Immovables Act has the administration of real property, including those that are leased or Crown-owned.
Any space primarily used for the delivery of Government of Canada services. A facility includes the main structure, surrounding property, and outbuildings associated with the delivery of services, or that hold Government of Canada infrastructure used to deliver those services.
Mandatory requirements (exigences obligatoires)
All direction derived from authoritative sources, including but not limited to legislation, regulations, and Government of Canada policies with respect to minimum baselines. They are to be applied consistently throughout the facility, and remain in force at all times.
Security design brief (énoncé de la conception de la sécurité)
A document that describes the physical protection philosophy and concepts, as well as physical safeguards, for a facility that are to be integrated into design and construction. It is a requirement at the inception phase for new assets or renovations.
Security infrastructure protection for non-building assets (protection de l’infrastructure de sécurité pour les biens autres que des immeubles)
The Department’s custodial responsibilities for designated heating plants, dams, bridges, and warehouses, which require a range of integrated security controls for base building security infrastructure protection.
Security posture (posture de sécurité)
The overall plan and approach taken by the Department to deter security breaches or unlawful activity. This includes all phases from planning to implementation, and is comprised of control measures, both physical and psychological, which protect the department from security threats.
Security site brief (énoncé de sécurité du site)
A document that describes the physical security attributes sought in a site during acquisition. It is a requirement at the inception phase for new assets or renovations.
Specific service agreement (SSA) (convention particulière de services [CPS])
An internal PSPC contract between one service branch and another government department. It describes the work to be done and associated costs.
Tenant-funded base building security controls (contrôles de sécurité de l’immeuble de base financés par le locataire)
Additional security controls identified to mitigate risks to custodial assets, or government operations housed therein, that are present as a result of the tenant’s presence, operations, or other activities.
- Access to Information Act
- Canada Labour Code
- Canada Occupational Health and Safety Regulations
- Canadian Charter of Rights and Freedoms
- Canadian Human Rights Act
- Emergency Management Act
- Federal Real Property and Federal Immovables Act
- Financial Administration Act
- Library and Archives of Canada Act
- Privacy Act
- Public Service Employment Act
- Security of Information Act
- Access to Information, Policy on
- Directive on Security Management
- Contracting Policy
- Government Security, Policy on
- Identity Management, Directive on
- Management of Information Technology, Policy on
- Management of Materiel, Policy on
- Management of Real Property, Policy on
- Management of Risk, Framework for the
- Security Screening, Standard on
- Values and Ethics Code for the Public Sector
The following links have been archived and are posted for reference purpose only.
- Occupational Safety and Health
- Operational Security Standard - Business Continuity Planning (BCP) Program
- Operational Security Standard: Management of Information Technology Security (MITS)
- Operational Security Standard on Physical Security
- Security Organization and Administration Standard
- Security and Contracting Management Standard
- Departmental Security Program (051)
- RCMP G1-005 – Preparation of Physical Security Briefs
- Departmental Operations Center (DOC) Integrated Communications Protocol
- Crime Prevention Through Environmental Design (CPTED)
- Technical Reference for Office Building Design
Annex A – Elements of Base Building Security and Mandatory Controls
Annex B – Application of Threat and Risk Assessment for Base Building Security
Annex C – Delineation of Funding Responsibilities
Annex D – Building Categorization
Enquiries about this standard can be directed to the RPS Base Building Security team: TPSGC.SISecuriteImmeubleDeBase-RPSBaseBuildingSecurity.PWGSC@tpsgc-pwgsc.gc.ca.
Any proposed modifications should be done in consultation with the Property and Facility Management service line. Also, any interpretation questions related to security portions of this document should be referred to the Property and Facility Management service line.