Passenger Rail Transportation Security Regulations (SOR/2020-222)

Marginal note:Security plan — objectives

• 7 (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prevent, detect, mitigate, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

• Marginal note:Strategy

  (2) In order to meet the objectives of subsection (1), the security plan must set out

  • (a) a risk management strategy that addresses the risks prioritized as medium or higher in the company’s most recent security risk assessment and all other risks that require remedial action; and

  • (b) additional safeguards that are intended to mitigate heightened risk conditions in a graduated manner.

• Marginal note:Requirements

  (3) The security plan must

  • (a) be in writing;

  • (b) identify, by job title, a senior manager responsible for the plan’s overall development, approval and implementation;

  • (c) describe the organizational structure, identify the departments that are responsible for implementing the plan or any portion of it and identify each position whose incumbent is responsible for implementing the plan or any portion of it;

  • (d) describe the security duties of each identified department and position;

  • (e) set out a process for notifying each person who is responsible for implementing the plan or any portion of it when the plan or that portion of it must be implemented;

  • (f) set out a program for the security awareness training required under section 2 and the components of the security plan training referred to in section 8, including a method to ensure that persons who undergo the security plan training acquire the knowledge and skills required under subsection 8(3);

  • (g) set out a process with respect to security risk assessments required under section 6, including

    • (i) a procedure for conducting security risk assessments, and

    • (ii) a method for assessing and prioritizing the risk;

  • (h) set out a process with respect to remedial actions that are part of the risk management strategy referred to in subsection (2), including

    • (i) a method for identifying security risks that require remedial action, and

    • (ii) a method for implementing remedial actions and for evaluating their effectiveness;

  • (i) set out a process for selecting and implementing additional safeguards required under paragraph (2)(b);

  • (j) describe the remedial actions, including their effectiveness in reducing or eliminating the risks, and the additional safeguards that are part of the risk management strategy referred to in subsection (2);

  • (k) set out the process with respect to security inspections referred to in subsection 5(2);

  • (l) set out a process with respect to security exercises referred to in section 9, including procedures for conducting security exercises;

  • (m) set out a process for responding to threats and other security concerns, including procedures for communicating and coordinating with the host company, if applicable;

  • (n) set out a process for reporting threats and other security concerns;

  • (o) set out a process for reviewing the security plan;

  • (p) include the report on the most recent security risk assessment required under section 6; and

  • (q) set out a policy on limiting access to security-sensitive information and set out measures for the sharing, storing and destruction of that information.

• Marginal note:Implementation — remedial actions and safeguards

  (4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

• Marginal note:Timelines — remedial actions

  (5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and for evaluating its effectiveness in reducing or eliminating the risks.

• Marginal note:Effectiveness — remedial actions

  (6) A passenger company, other than a small passenger company, must evaluate the effectiveness of each remedial action that has been implemented in reducing or eliminating the risks.

• Marginal note:New remedial action

  (7) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new remedial action to address those risks.

• Marginal note:Security plan management

  (8) A passenger company, other than a small passenger company, must

  • (a) make available to each person who is responsible for implementing the security plan the portions of the security plan that are relevant to the duties of that person;

  • (b) review the security plan at least once every 12 months after the day on which this section comes into force;

  • (c) amend the security plan if it does not reflect the most recent security risk assessment;

  • (d) amend the security plan if deficiencies that could adversely impact the security of passenger rail transportation are identified in the security plan, including those identified during the security exercises;

  • (e) conduct a comprehensive review of the security plan within three years after the day on which this section comes into force and subsequently within three years from the date of completion of the last comprehensive review;

  • (f) notify the persons referred to in paragraph (a) of any amendments to the relevant portions of the security plan; and

  • (g) provide a copy of the security plan to the Minister within 30 days after the day on which this section comes into force or after a comprehensive review is conducted under subsection (e), and a copy of the amended portions of the security plan within 30 days after an amendment is made under paragraph (c) or (d).