The Office of the Superintendent of Financial Institutions (OSFI) has a requirement for the provision of the professional services of security investigators. The services will be provided on an as and when requested basis.
OSFI requires professional services to conduct administrative investigations of employee and contract personnel, as and when requested, to determine if there has been any wrongdoing. Investigation professional services must include those specified in the table below. Investigations will be initiated via an email sent by the Project Authority to the Lead Investigator.
a) Review reference materials (if required) and develop action plan.
a. Prior to conducting their first investigation at OSFI, the Investigator (primary or backup resource) must review the following reference materials:
i. OSFI’s Statement of Values and Code of Conduct;
ii. Values and Ethics Code of the Public Sector; and
iii. Materials relating to other previously conducted administrative investigations at OSFI.
b. The lead Investigator must develop an action plan for the required investigation; review the action plan with the Project Authority (PA); and obtain PA signoff prior to launching the investigation.
b) Conduct administrative investigations.
a. The lead investigator must conduct investigations, as and when requested, and gather information to support any OSFI investigation impacting OSFI’s security to determine:
i. Whether an employee’s or contractor’s violation of the OSFI Statement of Values and Code of Conduct was intentional and/or malicious.
ii. The severity of the harm was that was caused to OSFI by the employee’s or contractor’s actions. Harm will be investigated based on factors including, but not limited to, the impact on OSFI operations, its reputation and the costs associated with addressing the actions.
iii. Whether or not the employee’s or contractor’s actions in this incident are part of a pattern of behavior which may “affect the employee’s or contractor’s performance of duties or that may lead to an inability or unwillingness to safeguard sensitive information, assets or facilities,” as described in Appendix D, Subsection 6 of the Standard on Security Screening.
iv. Whether or not the employee or contractor might do the same action or similar actions in the future which might affect their ability to hold, at a minimum, a reliability status which, according to the Standard on Security Screening relates to the employee’s “honesty and whether he or she can be trusted to protect the employer's interests” as described in the definitions section of the Standard on Security Screening.
b. To conduct the investigation, the Investigator is required to complete tasks including, but not limited to, the following:
i. Work with Corporate Security division and other parties at OSFI as necessary to obtain pre-ambles, contact information, forms, notifications and to coordinate logistical arrangements and other administrative activities.
ii. Review the employee’s human resources files or contractor’s hiring documents as applicable.
iii. Interview OFSI personnel who have knowledge of the incident(s), including the employee’s or contractor’s direct manager.
iv. Interview OSFI personnel who have knowledge of the impact on OSFI’s operations, reputation and the costs associated with the incident.
v. Interview external business partners to OSFI, informants, and other parties with knowledge of the incident.
vi. Liaise and obtain information from OSFI IM/IT, as required.
vii. Review logs, records, and other relevant materials in OSFI’s possession.
viii. Access open-source databases, provided by the Contractor, to conduct required research into the individual who is the subject of the inquiry.
ix. Conduct a security interview with the individual who is the subject of the inquiry.
x. Support judicial matters, if applicable, including the provision of advice to OSFI, and providing testimony in court.
Notes: (1) The above tasks will be reviewed and repeated as necessary. (2) Where the above tasks are delegated to a more junior support resource, the work must be conducted under the oversight of the lead investigator. (3) All interviews must be conducted by the lead investigator.
c. Following the work described above, the lead investigator will determine if additional steps are required to ensure that sufficient information is available to support the Project Authority’s decision.
d. The lead investigator must prepare a final report for Project Authority (PA) approval as follows:
i. develop and document in detail their investigative findings related to the factors (i. – iv.) identified under a. (above) to enable the PA to make a decision with respect to how to proceed.
ii. The Investigator must meet with the PA to review the final report. If requested by the PA, the Contractor must conduct further investigations and update their findings accordingly.
iii. The final written report must be reviewed and accepted by the Project Authority for the work to be considered completed.
c) Forensic services.
The Contractor must, as and when requested, provide forensic services as required to support administrative investigations (e.g., forensic audits of technology devices such as smart phones and computers).
d) Advisory Services
Provide advisory services, on an as when requested basis, including but not limited to advising on investigation practices; providing knowledge transfer and coaching services; reviewing polices and procedures related to investigations; etc.
