Facility security clearance examines security arrangements
When conducting facility security clearance, Supo examines the reliability of responsible individuals in the enterprise, its ability to discharge its commitments, and its security arrangements.
There are three aspects to facility security clearance. The first stage is a background inspection of the enterprise and its responsible individuals. The second stage is an audit of security arrangements in the enterprise. The third stage follows up on any issues examined at the first and second stages throughout the lifetime of the facility security clearance.
Supo assesses the reliability and capacity of the enterprise and its responsible individuals for discharging their commitments. The assessment reviews:
- general details of business operations
- information concerning the owners of the enterprise
- details of the enterprise’s assets
- details of credit and distraint
- details of tax receivables
- penalties imposed on, and offences targeting the enterprise
- personnel security clearances concerning responsible individuals
Supo assesses whether the security arrangements of the enterprise satisfy the requirements imposed on them. This includes:
- auditing the administrative security of the enterprise
- inspecting the premises of the enterprise
- auditing the information system and communication arrangements (Traficom) where applicable
The Katakri information security audit tool is generally used as the basis for assessing security arrangements.
Facility security clearance may also be conducted in part, for example by inspecting only the premises and background of an enterprise that does not process classified information in its information systems.
Clearance may conclude with a security undertaking
To conclude clearance, Supo may require the enterprise to issue an undertaking to maintaining an
approved standard of information security, and to notify the authorities of any changes in this standard.
The facility security clearance certificate is issued when clearance is complete and the enterprise has signed the undertaking. The certificate may be withdrawn if the enterprise no longer satisfies the requirements or if a responsible individual fails to discharge obligations, and the enterprise fails to rectify its shortcomings within a prescribed period.