Your Solution for SMART Response Plans

Tips for Facility Security Planning and Training

Posted on Thu, Jul 10, 2014

Managing the Facility Security Plan (FSP) related administrative duties and associated training requirements can be time-consuming and complex, particularly for large companies. With multiple, dynamic, and security-related response planning variables, many large companies implement a response planning system with a training and exercises management component. Advanced web-based systems can ease the burdens of training documentation, scheduling, and maintenance while verifying regulatory compliance. Managing an enterprise-wide security training program can be complicated by:

  • Multiple fluctuating certification/expiration dates
  • Diverse and varying scope of responder/employee responsibilities
  • Site-specific operations and response objectives
  • Maintaining company standards and best practice priorities
  • Regulatory compliance measures
  • Multiple facilities across several locations
  • Employee turnover

A FSP and those facilities required to comply with U.S. Coast Guard’s (USCG) 40 CFR 105 regulation should include site-specific details on the following components:

Notification: The Facility Security Officer must have a means to effectively notify facility personnel of changes in security conditions at a facility. Transportation security incidents are reported to the National Response Center and to appropriate emergency responders. At each active facility access point, a system must be in place to allow communication with authorities with security responsibilities, including the police, security control, and the emergency operations center.

Fencing and monitoring: The FSP must describe security measures to prevent unauthorized access to cargo storage areas, including continuous monitoring through a combination of lighting, security guards, and other methods.

Evacuation: The owner or operator must identify the location of escape and evacuation routes and assembly stations to ensure that personnel are able to evacuate during security threats.

Assessment: The Facility Security Assessment requires description of the layout of the facility, and response procedures for emergency conditions, threat assessment, and vulnerabilities, with a focus on areas at the facility that may be vulnerable to a security threat, such as utility equipment and services vital to operations.

Training: A security plan should describe the training, drills, and security actions of persons at the facility. These actions should deter, to the maximum extent practicable, a transportation security incident, or a substantial security threat. If a facility is required to comply with §105.210, facility personnel with security duties must be trained in the following: (Note: These guidelines are also beneficial to facilities not required to comply with the USCG’s 40 CFR part 105 requirement)

  • Knowledge of current security threats and patterns
  • Recognition and detection of dangerous substances and devices
  • Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
  • Techniques used to circumvent security measures
  • Crowd management and control techniques
  • Security related communications
  • Knowledge of emergency procedures and contingency plans
  • Operation of security equipment and systems
  • Testing, calibration, and maintenance of security equipment and systems
  • Inspection, control, and monitoring techniques
  • Relevant provisions of the FSP

Proper documentation is a critical aspect of any emergency management program. If a facility is required to comply with the USCG’s 40 CFR part 105 regulations, certain documentation is required to be available at the facility and made available to the USCG upon request. A web-based planning system can ensure plan documentation is available from various locations and can expedite plan distribution. The USCG’s 40 CFR 105 requires the following documentation:  

  1. The approved FSP, as well as any approved revisions or amendments thereto, and a letter of approval from the COTP dated within the last 5 years.
  2. The FSP submitted for approval and an acknowledgement letter from the COTP stating that the USCG is currently reviewing the FSP submitted for approval, and that the facility may continue to operate so long as the facility remains in compliance with the submitted FSP.
  3. For facilities operating under a USCG-approved Alternative Security Program as provided in §105.140, a copy of the Alternative Security Program the facility is using, including a facility specific security assessment report generated under the Alternative Security Program, as specified in §101.120(b)(3), and a letter signed by the facility owner or operator, stating which Alternative Security Program the facility is using and certifying that the facility is in full compliance with that program.

For a free download entitled, "Tips on How to Conduct an Effective Exercise", click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: Resiliency, Training and Exercises, Security plans, Department of Homeland Security, Communication Plan, HSE Program

National Incident Management System: 15-Question Quiz to test your knowledge!

Posted on Mon, Dec 09, 2013

The National Incident Management System (NIMS) is the consistent emergency management structure that has been adopted by countless companies to create a more effective, coordinated emergency response. According to FEMA, NIMS provides “a consistent nationwide template to enable Federal, State, tribal, and local governments, the private sector, and nongovernmental organizations to work together to prepare for, prevent, respond to, and recover from domestic incidents, regardless of cause, size, or complexity, including acts of catastrophic terrorism.”

With properly trained employees, many emergency situations can be handled on-site without external responders. However, if an emergency has the potential to exceed the scope of employee training, a unified incident management approach enables multiple entities to respond with one accepted management system. Adopting NIMS facilitates the ability for internal and external responders to collaborate through common operating principles, terminology, and organizational processes to improve response interoperability. The goal, and typical result of NIMS, is a coordinated, faster, and more effective resolution.

Company emergency preparedness personnel, as well as any emergency responders or teams (fire brigade/EMS), can adopt NIMS training programs. The Department of Homeland Security has developed Frequently Asked Questions regarding NIMS.  Below is a sampling of those questions in quiz form to determine your NIMS proficiency.

1. Which is NOT a component of NIMS?
a. Preparedness
b. Communications and Information Management
c. Response Plan
d. Command and Management  

2. Without ICS in place, which of the following often exists?
a. A lack of accountability
b. Poor communication
c. Neither a nor b
d. Both a and b  

3. Which factor encourages jurisdictions to implement NIMS:
a. Federal funding eligibility
b. Pension eligibility
c. Tax exemptions
d. Training exemptions  

4. Which of the following is NOT one of the three primary components of national incident response?
a. NIMS
b. EOP
c. ICS
d. NRF  

5. Which of the following describes NIMS?
a. A set of preparedness concepts and principles for all hazards
b. A response plan
c. Specific to certain emergency management/incident response personnel
d. Reserved for large-scale emergencies  

6. Which is NOT one of the three primary implications of the evolving nature of the NIMS, implementation, and compliance?
a. Dedicated resources must for NIMS implementation must be retained on an ongoing basis
b. A new incident commander must be named at the beginning of each fiscal year
c. Compliance demands implementation on prior activities even when new regulations are put forth
d. From year to year, structures and processes that jurisdictions have implemented may change, or even be eliminated

7. Which of the following FEMA directors was the first to have had prior emergency management experience? 

a. John Macy
b. Louis Guiffrida
c. General Julius Becton
d. James Lee Witt  

8. ICS is designed to
a. Meet the needs of incidents of any kind or size.
b. Provide a site-specific response plan
c. Provide logistical and administrative support to operational staff
d. Both A and C
e. Both A and B  

9. True or False - Private industry must comply with NIMS requirements in order to receive federal tax incentives.
a. True
b. False  

10. Which of the following is an ICS concept states that personnel report to only one supervisor, and maintain formal communication relationships only with that supervisor.
a. Unity of Command
b. Unified Command System
c. Singular Command Structure
d. Mono-command

11. State governments also maintain mutual aid contracts with other states, called:
a. Emergency Management Assistance Compacts (EMACs)
b. Collaborative Support Systems (CSSs) 
c. Intrastate Emergency Management Contracts (IEMCs)
d. None of the above  

12. According to NIMS, all functions of response and recovery are dependent upon ____________ and ___________.
a. Logistics and budget
b. Public perception and reputation
c. Communication and coordination
d. Stakeholder input and stock valuation  

13.  Transfer of Command occurs when:
a. A more qualified person assumes command
b. There is normal turnover of personnel on extended incidents
c. The incident response is concluded and responsibility can be transferred to the home agency, company or, facility
d. All of the above  

14. The Secretary of Homeland Security, through the ________________, publishes the standards, guidelines, and compliance protocols for determining whether a Federal, State, tribal, or local government has implemented NIMS.
a. National Intelligence Council (NIC)
b. National Integration Center (NIC)
c. Incident Command System (ICS)
d. Implementation Coordination System (ICS)  

15. Which is NOT one of the seven strategies for emergency operations
a. Mobility
b. Rescue
c. Ventilation
d. Containment

ANSWERS
1). c
2). d
3). a
4). b
5). a
6). b
7). d
8). d
9). b
10). a
11). a
12). c
13). d
14). b
15). a

For a free download on how to conduct an effective emergency exercise, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: DHS, Incident Management, Training and Exercises, Department of Homeland Security, Workplace Safety, NIMS

The Evolution of Emergency Management and Disaster Response

Posted on Mon, Dec 02, 2013

Historically, emergency management and preparedness has been a reactive science. The industry’s evolution has been the result of catastrophes, calamities, heightened risks, and newly identified threats that affect the population, economic stability, infrastructure, and national resilience. In recent history, disaster awareness through the 24/7-news cycle has intensified the concept of emergency management integration into our daily lives. Through continued awareness and dedicated mitigation advancements, the effects of future disasters can be limited.

Below is a sampling of key events that advanced emergency management and/or disaster response efforts:

Union Fire Company (1736): On a quest to improve fire fighting techniques, Benjamin Franklin organized and led this volunteer fire department to be a city-wide model of fire fighting best practices. Numerous Philadelphia fire companies modeled their operations after the Union Fire Company.

Congressional Act of 1803: One of the first examples of the United States Federal government proactively addressing a local disaster.  The Act enabled the government to provide assistance to a New Hampshire town after an extensive fire.

American Red Cross (1881): Clarissa Harlowe Barton founded the volunteer organization, which has grown into one of the world’s largest volunteer networks. The organization promotes a cooperative effort to protect and enhance lives of individuals in the wake of personal and large scale disasters.

Flood Control Act (1917): Floods on the Mississippi, Ohio, and other rivers in the  northeast  led to the Flood Control Act of 1917, the first act aimed exclusively at controlling floods. In 1934, a version of the legislation increased the authority of the Army Corps of Engineers to design and build flood control projects.

Reconstruction Finance Corporation (RFC): On January 22, 1932, the US Congress established and authorized the agency to originate disaster loans for repair and reconstruction of certain public facilities following an earthquake, and later, other types of disasters. The 1953 RFC Liquidation Act terminated its lending powers in an effort to fulfill President Dwight Eisenhower’s vision of limiting government’s involvement in the economy. By 1957, its remaining functions had been transferred to other agencies.

Bureau of Public Road: In 1934, the agency was given the authority to provide funding for highways and bridges damaged by natural disasters.

Disaster Relief Act of 1950: Authorized the President of the United States to issue disaster declarations. As a result, the declaration permitted federal agencies to provide direct assistance to state and local governments in the wake of a disaster.

Federal Civil Defense Act of 1950: The threat of nuclear war and its subsequent radioactive fallout precipitated numerous defense legislations.  The Act provided the basic preparedness framework to minimize the effects of an attack on the civilian population and a plan to respond to the immediate emergency conditions created by the attack.2

Office of Emergency Preparedness (1960): As a result of a series of disasters (Hurricane Donna, Hurricane Carla, and a 7.3 Montana earthquake) the Kennedy administration established this agency to oversee the seemingly growing risk of natural disasters.

National Flood Insurance Act of 1968: The legislation was prompted by the unavailability or prohibitively expensive flood insurance coverage.  The Act resulted in the National Flood Insurance Program (NFIP).

Federal Emergency Management Agency( FEMA):  By 1970, over 100 federal agencies and thousands of state and local entities were involved in risk management and disaster response efforts.  The scattered, fragmented, and decentralized concept led to duplicated efforts, confusion, and political power struggles. FEMA was created to centralize efforts and minimize disorder.

Oil Pollution Act of 1990 (OPA90): In the wake of the Exxon Valdez oil spill, the law created comprehensive prevention, response, liability, and compensation policies for vessel and facilities that could cause oil pollution to U.S. navigable waters.

Federal Response Plan (1992):The plan aimed to provide a systematic process and structure for coordinated delivery of Federal assistance to address the effects of any major disaster or emergency declared under the Robert T. Stafford Disaster Relief and Emergency Assistance Act.3

September 11, 2001: FEMA activates the Federal Response Plan as a response to the worst terrorist attack on the United States. The attacks can be identified as one of history’s turning points for the rapid advancement and coordination of emergency management.

Homeland Security Act of 2002: Was established as a result of the September 11, 2001 attacks in effort to protect the United States from further terrorist attacks, reduce the nation’s vulnerability to terrorism, and minimize the damage from potential terrorist attacks and natural disasters.  

National Response Plan (2004): Developed out of the need to implement common incident management and response principles. The NRP replaced the Federal Response Plan.

National Response Framework (2008): Through stakeholder feedback, a series of disasters, and subsequent lessons learned, the framework was developed to enhance the principles of the National Response Plan. The changes incorporated the concept that an effective incident response is a shared responsibility of all level of governments, the private sector and NGOs, and individual citizens.4

The above timeline is just a sampling of the historical events that precipitated change in emergency management industry. Lesson learned from recent events like Hurricane Katrina and Sandy, massive wildfires, and the earthquake and subsequent tsunami and nuclear accident in Japan will continue to mold response protocols. As history can predict, the 21st century will provide a backdrop for additional improvements to emergency management policies, response efforts, and preparedness. Emergency-management-degree.org provides an informative infographic detailing various events of the past that have shaped our present, and a nod to anticipated potential threats that create the need for additional preparedness efforts.

1. Reconstruction Finance Corporation (RFC)
2  Federal Civil Defense Act of 1950
3. Federal Response Plan
4. National Response Framework 
 

For a free download on the specifics of fire pre-planning, click the image below:

TRP Corp Fire Pre-Plans Pre Fire Plan

Tags: DHS, EHS, Emergency Preparedness, Incident Management, Emergency Response Planning, Department of Homeland Security

Cyber-Security for ICS Necessary in Business Continuity Planning

Posted on Thu, Nov 21, 2013

The 2013 Global Risk Report ranks cyber-attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber-attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for risk analysis, computer security, downloads, and backups in order to secure necessary integrated technologies. A recent report by The European Union Agency for Network and Information Security (ENISA) highlighted security concerns over Industrial Control Systems (ICS), including the widely utilized Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DSC), and programmable logic controllers (PLC). These concerns are echoed in recent publications by the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT).

ICS are often used to control industrial processes, such as manufacturing, product handling, production, and distribution, and is a necessary element to promote business continuity. The main concern expressed by ENISA and ICS-CERT is that prevalent industrial control systems are riddled with varying outdated and un-patched software, leaving them exposed and vulnerable to hackers and cyber-attacks. Mitigating this high risk is critical for maintaining continuity of operations.

Recent SCADA and ICS security incidents greatly emphasize the importance of vigilant observation, analysis, and control of SCADA infrastructures. The ICS-CERT quarterly newsletter entitled Monitor, stated that the response team responded to 198 incidents across all critical infrastructures in 2012. That number was surpassed by May 2013 with energy infrastructures comprising 53 percent of the targeted attacks.  That percentage was up from 41 percent in 2012.

Cyber-Security-response-planning.jpg

ICS-CERT urges operators to embrace coordination by sharing attack data, specifically indicators of system compromises, and established a secure portal to allow companies to actively engage in protecting critical infrastructure. Through the portal, ICS-CERT was able to identify 10 IP addresses that participated in a recent attack against a gas compressor station. The alert prompted other station owners to investigate their own networks and they eventually reported another 39 IP addresses associated with attacks.

According to ENISA, critical infrastructure companies should employ continual risk-based assessments of cyber security policies to prioritize and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements. ICS-CERT offers recommended practices, vetted by subject-matter experts, to bolster technology security. In addition to these recommended practices, identifying procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establishing technology and business continuity of critical business processes, in the event of an attack.  

There must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, security efforts, and response measure during cyber disruption events.  The ability to respond to critical incidents and identify root causes are key aspects in the ability to mitigate potential threats. With technology-based incidents, analyzing the deficiencies that led to IT downtime enables countermeasures to be implemented. ENISA offers four key areas that promote investigative capabilities that allow mitigated efforts: These key areas include:

  1. Facilitate integration with existing structures
    • Determine source of evidence of security breach
    • Clarify data retention impact on systems
    • Streamline operational and IT interfaces
  2. Safeguard systems and configurations
    • Deploy security controls
    • Ensure logging controls
  3. Review key roles and responsibilities
  4. Embrace partnership coordination and cooperation

 

Free resources from TRP Corp: Receive the Example Response Procedures Flow Chart

New Call-to-Action

Tags: ICS, Security plans, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

National Preparedness Month and Corporate Response Planning

Posted on Mon, Sep 23, 2013

In 2004, The U.S. Department of Homeland Security (DHS), The America Prepared Campaign, the American Red Cross, the National Association of Broadcasters, and the U.S. Department of Education joined a coalition of more than 50 national organizations to engage American citizens in emergency preparedness by designating September as National Preparedness Month. This year, more than 3,000 organizations are taking part in supporting emergency preparedness efforts. National Preparedness Month provides a variety of opportunities to learn more about ways they can prepare for an emergency, get an emergency supply kit, establish a family communications plan, and become better aware of threats that may impact communities.

By prioritizing and encouraging preparedness, companies can set the example for employees, customers, and the surrounding communities. Disasters not only devastate individuals and neighborhoods, but entire communities, including businesses of all sizes. Employers should designate National Preparedness Month to encourage preparedness training, develop business continuity plans (BCP), review and evaluate existing plans, or advance preparedness practices through exercises and gap analyses.

Large and small businesses that are able to continue operations throughout a crisis situation or quickly restore services may avoid economic hardship and potential failure. Determining how to maintain critical business functions in less than ideal situations may be the key to company survival.

Understanding and exercising effective response procedures and the intricacies of a business continuity plan can minimize the effects of an incident. Business continuity events typically result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

A detailed identification and evaluation of critical business processes, focusing  on the key business resources above should be performed as an integral part of a business continuity plan. This “bare bones” evaluation should list the minimum criteria necessary to keep your business in operation. Necessary minimum criteria may include:

Infrastructure needs: An incident that results in facility damage or mandatory evacuations may require relocation of critical business processes.  Companies must identify and arrange for potential alternate locations, if applicable (ex. satellite offices, work from home, alternate locations).

Data and computer needs: Identifying computer backup solutions, data restoration methods, and minimum software requirements are crucial to re-establish critical business processes.  Companies may examine data center outsourcing to ensure continuity and accessibility, as well as alternative/backup power sources for laptops.

Notification lists: Regularly update lists to ensure all contact information is up-to-date. Business continuity planners must be certain that notifications are being delivered to accurate e-mail addresses and/or phone numbers, especially in case of an evacuation. If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables individuals to verify their own information.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system may assure a reliable method to communicate to key individuals, company employees, or an entire client base. However, in order for communication to be effective, contact information must be accurate.

Supply Chain: Plans should be constantly updated to include new suppliers. Additionally, pre-selected alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm. As the storm passes, ensure staff, contractors, and suppliers are in communication, and understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. The process of relocating equipment arranging for these essentials after-the-fact is time consuming, and potentially costly.

For a free download on Tips on Conducting an Effective Excersise, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: DHS, Business Continuity key points, Business Continuity, Department of Homeland Security, Communication Plan, Business Continuity Plan, Business Disruption

Cyber Security is Essential for Business Continuity

Posted on Thu, Mar 21, 2013

Media organizations, multinational companies, and government agencies have all been victims of recent cyber attacks. February’s highly publicized 60-page Mandiant report entitled APT1: Exposing One of China's Cyber Espionage Units, revealed evidence of cyber data theft of nearly 141 organizations. It was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, said House Intelligence Committee Chair Mike Roger.

The 2013 Global Risk Report ranks cyber attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.  A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.  The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.

Companies should address the following DHS cyber security points to ensure business continuity:

  • Is cyber preparedness integrated with your current all hazards preparedness efforts?
  • Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
  • Are cyber security risk-based policies established in your organization?
  • Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
  • Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
  • Are audits conducted on cyber security systems?
  • Are cyber  security plan requirement in place and are they being adhered to?
  • Are all systems compliant to company and/or cyber  security plan requirements?
  • Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
  • Upon being notified of a compromise/breach of security regarding an employee:
    • Who is notified?
    • What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
    • What steps are followed?
    • Should legal representation be sought and at what point?
    • Who determines if the employee should be held criminally responsible?
  • Are there policies (formal and informal) pertaining to removable storage devices?
  • What is the priority of cyber preparedness, including cyber security, in your organization?
  • What level of funding and/or resources is devoted to cyber preparedness?
  • What are your estimated losses if a cyber attack were to terminate system functionality?
  • What are your critical business unit software requirements?
  • What are the procedures for backing up and restoring data?
  • How often are security patches updated?

Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security. 

Discussion based exercises:

  • Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
  • An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
  • Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies

Operations based exercises:

  • Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
  • May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
  • Generally involve mobilization and response as opposed to policies and procedures

By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: Data Recovery, Computer Security, Business Continuity, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Emergency Response Interoperability and Mutual Aid Agreements

Posted on Thu, Nov 29, 2012

Broadening the scope of response expertise can greatly benefit companies in the event of an emergency incident or disaster. Interoperability and associated agreements with local, state and federal agencies may provide additional resources based on particular experiences, research, or occupational training in a particular area, potentially reducing response time during a dire situation.

According to FEMA, “mutual aid agreements and assistance agreements are agreements between agencies, organizations, and jurisdictions that provide a mechanism to quickly obtain emergency assistance in the form of personnel, equipment, materials, and other associated services.” 

Emergency managers should regularly meet with government agencies, community organizations, and specialized response organizations  to discuss likely emergencies and their ability to contribute resources. Mutual aid agreements should facilitate a rapid, short-term deployment of emergency support prior to, during, and after an incident. However, the National Incident Management System (NIMS) Planning Guide states that a response from state or federal resources can take up to 72 hours or longer to arrive.

FEMA states that mutual aid agreements do not obligate agencies, organization or jurisdictions to supply provisions or aid, but rather provide a need-based tool should the incident dictate the requirement. These agreements ensure the efficient deployment of standardized, interoperable equipment and other incident services or resources during incident operations. However, emergency managers should consult their company’s legal representative prior to entering into  any agreement.

The designated emergency manager will typically establish mutual aid agreements.  However, the incident commander, in coordination with a liaison officer, must have full knowledge of the agreements and respective roles the organization(s) will play during a response.

The NIMS Planning Guide identifies several types of mutual aid agreements that can benefit companies. These agreements include, but not limited to:

Automatic Mutual Aid Agreement:  Permit the automatic dispatch and response of requested resources without incident-specific approvals. These agreements are usually basic contracts.

Local Mutual Aid Agreement: Neighboring jurisdictions or organizations that involve a formal request for assistance and generally covers a larger geographic area than automatic mutual aid.

Regional Mutual Aid Agreement: Multiple jurisdictions that are often sponsored by a council of governments or a similar regional body.

Statewide/Intrastate Mutual Aid Agreement: A coordinated agreement throughout a State or between states that incorporate both State and local governmental and nongovernmental assets in an attempt to increase preparedness statewide.

Interstate Agreement: Out-of-State assistance through formal State-to-State agreements such as the Emergency Management Assistance Compact, or other formal State-to-State agreements that support the response effort.

International Agreement: Agreements between the United States and other nations for the exchange of Federal assets in an emergency.

Other Agreements: Any agreement, whether formal or informal, used to request or provide assistance and/or resources among jurisdictions at any level of government (including foreign), NGOs, or the private sector.

Memorandums of understanding (MOUs), or letters of intent, may be used with the private sector and nongovernmental organizations (NGOs) to facilitate potential collaborative efforts in the event of an incident.  MOUs can be legally binding depending on the intention of the contractual parties, the language used in the document, and the residing jurisdiction. However, other MOUs can be construed as a non-binding, “gentlemen's’ agreement”. 

The U.S. Department of State suggests the following regarding MOUs. 

“While the use of a title such as “Memorandum of Understanding” is common for non-binding documents, we caution that simply calling a document a “Memorandum of Understanding” does not automatically denote for the United States that the document is non-binding under international law. The United States has entered into MOU’s that are considered binding international agreements.”. 

Download this free 9-Step sample Emergency Response Procedures Check List.

TRP Corp -Response Procedure flowchart

Tags: BCM Standards, Emergency Response, Department of Homeland Security, Supply Chain, Disaster Recovery, Business Disruption

Corporate Inter-dependencies Require Emergency Preparedness Efforts

Posted on Thu, Nov 15, 2012

Growing corporate interdependencies present significant challenges when infrastructure disruptions or loss occurs. Basic physical structures are necessary for society to be operational. However, critical services and the companies that provide them depend on these structures in order for an economy to function. When these structures are damaged, those economy stabilizing companies must seek alternate ways to remain operational.

Securing the critical physical infrastructure through mitigation, emergency preparedness, and business continuity planning efforts is on the forefront of the U.S Department of Homeland Security (DHS).  But efforts should not be left to government entities. Companies must prioritize emergency preparedness and business continuity initiatives in order to minimize supply chain interruptions that could affect the ability to provide critical services.

“Mitigating our most significant vulnerabilities and/or mounting a timely and efficient response and recovery effort at a major municipal, regional or national level requires strategic thinking, investment and capacity building well in advance of a paralyzing disaster.”      -Revitalizing American Manufacturing to Protect, Respond and Recover

The present global risk environment is highly unpredictable and incidental impacts may be far reaching. After the massive 2011 earthquake and subsequent tsunami in Japan, the world’s manufacturing supply chains, most notably in the auto and electronics sectors, felt the aftershocks of limited supplies. Businesses within Japan and internationally, experienced production problems and supply chain interruptions. The loss of critical infrastructure will have an effect on local companies; however the disruption proved to adversely affect businesses far from the impact zone. Risk managers and business continuity advisers should be alert to lessons learned from the crisis in Japan and re-evaluate their company’s ability to respond as necessary if loss of critical infrastructure affects supply chains.

In addition to naturally occurring events with the potential to damage or disable U.S. infrastructure, the infrastructures are deteriorating due to generations of use. The 2009 American Society of Civil Engineer (ASCE) Report Card gives the U.S. infrastructure an overall grade of "D" or "Poor". The report reveals that an investment of more than $2.2 trillion through 2014 is necessary to address the most critical needs. Unfortunately, a sluggish economy has slowed reinforcement efforts.

The combination of deteriorating infrastructures and naturally occurring threats make emergency preparedness and business continuity planning crucial for companies, especially those that fall into DHS’s critical infrastructure sector. Companies should prioritize and initiate response coordination with local authorities and establish continuity plans to counteract infrastructure failure.

TRP Corp - Critical Infrastructure

Threats and risk that have the potential to affect infrastructure and supply lines include, but are not limited to:

  • domestic and international terrorism
  • floods
  • hurricanes
  • earthquakes
  • oil spills and other environmental incidents
  • technological failures
  • pandemic influenza
  • malicious cyber intrusions and disruptions

Given the current state of the U.S. infrastructure and the continual occurrence of high-risk scenarios, supply chains that perpetuate operational productivity may be unreliable and fleeting. According to the Business Continuity Institute’s “Supply Chain Resilience 2011” study, supply chain incidents led to productivity loss for almost half of businesses surveyed. If essential resources, both internal and external, fail, companies need to arrange sustainability through outside resources. Highlighted areas to review include, but are not limited to:

  • External facilities and equipment needed to produce company’s products and services
  • Necessary products and services provided by suppliers, especially sole source vendors
  • Lifeline services such as electrical power, water, sewer, gas, telecommunications, and transportation
  • Operations and personnel vital to continued operation

Corporate and facility emergency managers should pre-identify critical processes and the equipment necessary to function. Through this process, alternatives can be explored and a business continuity plan can be developed that may reduce the impacts of infrastructure disorder and associated supply chain disruptions. Business continuity preparedness can prevent unnecessary downtime, increased recovery efforts, and protect the financial bottom line.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: DHS, Business Continuity, Department of Homeland Security, Business Continuity Plan, Disaster Recovery, Business Disruption

USCG Requirements and Responsibilities of Facility Security Officer

Posted on Mon, Sep 17, 2012

This summer, 22 nations, more than 40 ships and submarines, over 200 aircraft and 25,000 personnel participated in the Rim of the Pacific (RIMPAC) exercise in and around the Hawaiian Islands. The biennial exercise is designed to establish and sustain cooperative relationships to ensure the safety of sea-lanes and security on the world's oceans. This exercise emphasizes the importance of the US Coast Guard’s Maritime Transportation Security Act of 2002 (MTSA) for U.S based marine-transportation related facilities by prioritizing safety and security.

The MTSA requires marine-transportation related facility owners to be responsible for facility security. The Act requires vulnerability assessments and security plan approvals.  The marine transportation security aspects regulated by the USCG covers the entire facility, not just the transfer or “dock” area.

However, not all port located facilities are affected by the MTSA regulations. The MTSA requires that those facilities deemed “high risk” for transportation related security incidents must comply with regulations in order to continue operations. “High risk” facilities that mandate compliance with MTSA requirements are those that perform the following:

  • Handle explosives, liquefied natural or hazardous gas, or other Certain Dangerous Cargoes (CDC)
  • Transfer oil or hazardous materials
  • Handle vessels covered by Chapter XI of the International Convention for the Safety of Life at Sea (SOLAS)
  • Handle passenger vessels certified to carry more than 150 passengers (if vessels actually embark or disembark passengers there)
  • Handle cargo vessels greater than 100 gross registered tons
  • Handle barges that carry cargoes regulated by 46 CFR, chapter I, subchapter D or O, or CDCs.

A facility that is deemed high risk must assign a Facility Security Officer (FSO). According to CFR 33 part 105, maritime security for facilities, a single employee may serve as the FSO for more than one facility, as long as the facilities are in the same Captain Of The Port (COTP) zone and are within 50 miles of each other. The FSO may also perform other duties within the company, but they must be able to perform the duties and responsibilities required of the FSO. The FSO must ensure and oversee the following duties:

  • Facility Security Assessment (FSA)
  • Facility Security Plan (FSP) is developed and implemented
  • Annual audit, and if necessary, update the FSA and FSP
  • The FSP is exercised per §105.220
  • Regular security inspections
  • Security awareness and vigilance of the facility personnel
  • Adequate training to personnel performing facility security duties
  • Security incidents are recorded and reported to the owner or operator
  • Documentation of maintenance
  • Preparation and the submission of any reports
  • Any required Declarations of Security with Masters, Vessel Security Officers or their designated representatives
  • The coordination of security services in accordance with the approved FSP
  • Security equipment is properly operated, tested, calibrated, and maintained
  • The recording and reporting of attainment changes in MARSEC Levels to the owner or operator and the cognizant COTP
  • When requested, provide assistance to the Vessel Security Officers in confirming the identity of visitors and service providers seeking to board the vessel through the facility
  • Timely notification to law enforcement personnel and other emergency responders of any transportation security incident
  • The FSP submittal to the cognizant COTP for approval, as well as any plans to change the facility or facility infrastructure prior to amending the FSP
  • Facility personnel are briefed of changes in security conditions
  • Proper implementation of the Transportation Worker Identification Credential (TWIC) program, if necessary.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: USCG, MTSA, Security plans, Department of Homeland Security, Terrorism Threat Management, Chemical Industry

NIMS Preparedness and Response Training Objectives

Posted on Thu, Jun 21, 2012

In 2004, the Department of Homeland Security published the National Incident Management System (NIMS) in efforts to provide a consistent template to enable government agencies, the private sector, and nongovernmental organizations to collaborate in the preparation, response, recovery and mitigation of incidents. Regardless of size, location, or complexity of an incident, the nationwide system provides a common foundation to reduce the loss of life, property, and harm to the environment in the event of an incident.

However, a critical tool in promoting the implementation of NIMS is a well-developed training program. Implementing the NIMS Training Program is a critical component of a National Training Program, mandated by the Post-Katrina Emergency Management Reform Act of 2006. Federal policy requires jurisdictions, organizations, or companies to meet NIMS compliance requirements as a condition for receiving Federal preparedness assistance, grants, and/or contracts.

The goal of the NIMS training program is to create a well-coordinated, sustainable program that meets the operational needs of the emergency management and incident response community.  The following NIMS concepts should be included in preparedness and response training programs:

Preparedness - Incorporating a coordinated, unified approach to emergency management and incident response activities based on chain of command and unity of effort, implementation, and command is the basis for achieving preparedness. According to NIMS, there are five preparedness elements that build the foundation for effective and efficient response and recovery:

  • Planning
  • Procedures and Protocols
  • Training and Exercises
  • Personnel Qualifications and Certification
  • Equipment Certification

Communications and Information Management - Utilizing flexible communications and information systems allows emergency management and response personnel to maintain a constant flow of information throughout an incident. Principles of communication and information management should incorporate the following components:

  • Redundancy
  • Reliability
  • Interoperability
  • Cohesive communication procedures

Resource Management - Managing preparedness and response resources (personnel, teams, facilities, equipment, and/or supplies) to meet incident needs allows for a more efficient and effective response. The foundations of resource management include:

  • Planning
  • Utilizing agreements and contracts
  • Organizing and categorizing resources
  • Identifying and ordering resources
  • Effectively managing resources

Command and Management - Highlighting the systems used to facilitate Command and Management operations/responsibilities for the single incident commander, unified command, command staff, incident command organization, and/or general staff. These systems may include:

  • Incident Command Systems (ICS)
  • Multiagency Coordination Systems (MACS)
  • Public Information Systems

Ongoing Management and Maintenance - Sustaining the administration duties and implementation of NIMS as put forth by the National Integration Center (NIC), and utilizing improved technologies, will ensure regulatory compliance and enhance management capabilities.

For a free guide that details the world of HAZWOPER training, download A Guide to HAZWOPER Training.

HAZWOPER training guide

Tags: DHS, Training and Exercises, Emergency Management Program, Department of Homeland Security, National Preparedness