In our six missions that we examined, we looked at what security measures had been recommended by Global Affairs security staff. We looked at their threat and vulnerability assessments, and those examined both the physical and operational security measures. They made a number of recommendations for what needed to be put in place at the missions, given the threat environment.
We understood that those assessments did identify critical vulnerabilities. As a result, it also identified several interim measures that needed to take place, such as additional operational security, additional guards and additional surveillance in general across its missions, and in each of the vulnerability assessments we had looked at.
What we found, though, was that at the missions there was not a good understanding of what those measures needed to be. Everyone was quite clear about what the critical vulnerability was, but they weren't necessarily clear about what mitigating interim measures needed to be in place, and we did find that some of those interim measures were not in place. Some of them were in place and some of them weren't, but there wasn't an understanding of why some were in place and why others weren't in place so that there would be an overall understanding of the security posture of the mission. Therefore, we recommended that that be well documented. Especially in an organization like Global Affairs, where there is cyclical rotation of the staff, we recommended that staff be very clear about what's required—particularly as these vulnerability assessments are not necessarily done every year—so that there would be a good understanding across heads of mission and with the security officials within the missions as well.