Publishing security procedure publically makes it fundemtally flawed and they well know that.
There are two parts to security procedures however.
(1) What you expect people to do so that their behaviour and credentials can be monitored and verified.
(2) What the security services will do to check up on everybody.
(1) should be published for efficiency, but (2) should not be published because the knowledge allows bad people to work around them.
Surely our security services understand this?
G