Your Solution for SMART Response Plans

Homegrown Security Threats and the Facility Security Plan

Posted on Thu, Feb 09, 2017

A report by the New Jersey Office of Homeland Security and Preparedness ranked homegrown violent extremists as the number one threat to security. As a result, companies should continue to bolster their security training, response planning and preparedness efforts into 2017 so that they are better prepared to identify and respond to security issues.

According to the report, “Homegrown violent extremists are individuals inspired by foreign terrorist organizations and radicalized in the countries in which they are born, raised, or reside.”

Companies, security personnel and employees should remain vigilant.  The report identified “Eight Signs of Terrorism” that the private sector should be aware of. The signs include:

  1. Surveillance: Terrorists will attempt to determine the strengths, weaknesses, and number of personnel that may respond to an incident.
  2. Elicitation/Seeking Information: Attempt to gain information through inquiries, including seeking knowledge about a place, person, or operation.
  3. Tests of Security: Either through visual observations or physical entry, suspects may move into sensitive areas, and observing security and law enforcement responses.
  4. Acquiring Supplies: The purchase or theft of explosives, weapons, or ammunition. It could also include unusual purchasing or storing of fertilizer or harmful chemicals. Terrorists also find it useful to acquire law enforcement equipment and identification, military uniforms and decals, and flight passes, badges, or manuals.
  5. Suspicious People: Observe suspicious people who do not belong. The suspicious person could be anyone in a building, neighborhood, or business establishment who seems out of place because of their demeanor or line of questions.
  6. Dry Run: Before the execution of an operation, a practice trial is usually run to work out any flaws or unanticipated problems.
  7. Deploying Assets: Look for someone deploying assets or getting into position. This is your last chance to alert authorities before a terrorist act occurs.
  8. Terrorism Funding: Terrorists use a variety of methods to raise, launder, and transport funds including false credit cards,

But with so many dynamic and security-related response planning variables, site-specific security training and preparedness planning can be challenging. A database driven, web based response planning system can alleviate some of those challenges.

fencing-resized-600.jpg

A security assessment should be performed in order to identify areas at the facility that may be vulnerable to a security threat. In order to address security issues, a facility response plan should include, but is not limited to the following security related components:

Notifications:

  • The Facility Security Officer must have a means to effectively notify site personnel of changes in facility security conditions.
  • Transportation security incidents must be reported to the National Response Center and to appropriate emergency responders.
  • At each active facility access point, a system must be in place to allow communication with those that have security responsibilities, including the police, security control, and the emergency operations center.

Fencing and monitoring:

  • Security measures should be in place to prevent unauthorized access to storage areas. Facilities should provide continuous monitoring through a combination of lighting, security guards, and other detailed methods.

Evacuation:

  • The owner or operator must identify the location evacuation routes and assembly stations to ensure that personnel are able to safely evacuate during a security threat.

A security plan should describe the training, drills, and security actions of personnel at the facility. These actions should deter, to the maximum extent practicable, a security incident, or a substantial security threat. Facility personnel should receive varying levels of security training depending upon their responsibilities. Security training levels may vary, but might include:

  •  Knowledge of current security threats and patterns
  • Recognition and detection of dangerous substances and devices
  • Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
  • Techniques used to circumvent security measures
  • Crowd management and control techniques
  • Security related communications
  • Knowledge of emergency procedures and contingency plans
  • Operation of security equipment and systems
  • Testing, calibration, and maintenance of security equipment and systems
  • Inspection, control, and monitoring techniques
  • Relevant provisions of the Facility Security Plan

 

Regulatory Compliance with TRP Corp

Tags: Facility Response Plan, Security plans

Tips for Facility Security Planning and Training

Posted on Thu, Jul 10, 2014

Managing the Facility Security Plan (FSP) related administrative duties and associated training requirements can be time-consuming and complex, particularly for large companies. With multiple, dynamic, and security-related response planning variables, many large companies implement a response planning system with a training and exercises management component. Advanced web-based systems can ease the burdens of training documentation, scheduling, and maintenance while verifying regulatory compliance. Managing an enterprise-wide security training program can be complicated by:

  • Multiple fluctuating certification/expiration dates
  • Diverse and varying scope of responder/employee responsibilities
  • Site-specific operations and response objectives
  • Maintaining company standards and best practice priorities
  • Regulatory compliance measures
  • Multiple facilities across several locations
  • Employee turnover

A FSP and those facilities required to comply with U.S. Coast Guard’s (USCG) 40 CFR 105 regulation should include site-specific details on the following components:

Notification: The Facility Security Officer must have a means to effectively notify facility personnel of changes in security conditions at a facility. Transportation security incidents are reported to the National Response Center and to appropriate emergency responders. At each active facility access point, a system must be in place to allow communication with authorities with security responsibilities, including the police, security control, and the emergency operations center.

Fencing and monitoring: The FSP must describe security measures to prevent unauthorized access to cargo storage areas, including continuous monitoring through a combination of lighting, security guards, and other methods.

Evacuation: The owner or operator must identify the location of escape and evacuation routes and assembly stations to ensure that personnel are able to evacuate during security threats.

Assessment: The Facility Security Assessment requires description of the layout of the facility, and response procedures for emergency conditions, threat assessment, and vulnerabilities, with a focus on areas at the facility that may be vulnerable to a security threat, such as utility equipment and services vital to operations.

Training: A security plan should describe the training, drills, and security actions of persons at the facility. These actions should deter, to the maximum extent practicable, a transportation security incident, or a substantial security threat. If a facility is required to comply with §105.210, facility personnel with security duties must be trained in the following: (Note: These guidelines are also beneficial to facilities not required to comply with the USCG’s 40 CFR part 105 requirement)

  • Knowledge of current security threats and patterns
  • Recognition and detection of dangerous substances and devices
  • Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
  • Techniques used to circumvent security measures
  • Crowd management and control techniques
  • Security related communications
  • Knowledge of emergency procedures and contingency plans
  • Operation of security equipment and systems
  • Testing, calibration, and maintenance of security equipment and systems
  • Inspection, control, and monitoring techniques
  • Relevant provisions of the FSP

Proper documentation is a critical aspect of any emergency management program. If a facility is required to comply with the USCG’s 40 CFR part 105 regulations, certain documentation is required to be available at the facility and made available to the USCG upon request. A web-based planning system can ensure plan documentation is available from various locations and can expedite plan distribution. The USCG’s 40 CFR 105 requires the following documentation:  

  1. The approved FSP, as well as any approved revisions or amendments thereto, and a letter of approval from the COTP dated within the last 5 years.
  2. The FSP submitted for approval and an acknowledgement letter from the COTP stating that the USCG is currently reviewing the FSP submitted for approval, and that the facility may continue to operate so long as the facility remains in compliance with the submitted FSP.
  3. For facilities operating under a USCG-approved Alternative Security Program as provided in §105.140, a copy of the Alternative Security Program the facility is using, including a facility specific security assessment report generated under the Alternative Security Program, as specified in §101.120(b)(3), and a letter signed by the facility owner or operator, stating which Alternative Security Program the facility is using and certifying that the facility is in full compliance with that program.

For a free download entitled, "Tips on How to Conduct an Effective Exercise", click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: Resiliency, Training and Exercises, Security plans, Department of Homeland Security, Communication Plan, HSE Program

Facility Response Plan Audits Necessary in Mergers and Acquisitions

Posted on Mon, Mar 31, 2014

As companies merge, acquire facilities, or expand operations, applicable location-specific threats, risks, and regulations must be incorporated into response plans. Emergency preparedness programs and facility response plans need to be reviewed, at a minimum, on an annual basis to adequately reflect expanding operations. However, if an acquisition or merger occurs, it is essential to evaluate and align facilities and processes with corporate standards and applicable regulatory requirements.

Enterprise expansion requires environmental, health, and safety (EHS) managers to sharpen their location-based understanding of regulations, security needs, and associated response plan components specific to each location. As part of a company’s asset management program, engaging experienced personnel in response plan data review, safety and response audits, and response plan validation can highlight areas where the local knowledge is imperative.

The new response planning documents should include updates from various stakeholders and collaborating response groups. Open communications with internal and external responders will ensure plan and response procedures are current, and carried out in accordance with company protocols. Groups to consider in planning reviews include, but are not limited to:

  • Local responders (fire, police, emergency medical services, etc.)
  • Government agencies (LEPC, Emergency Management Offices, etc)
  • Community organizations (Red Cross, weather services, etc)
  • Utility Companies (Gas, Electric, Public Works, Telephone, etc.)
  • Contracted Emergency Responders
  • Neighboring Businesses

Whether a facility is domestically located or abroad, ensuring enterprise-wide compliance and employee safety requires streamlined, coordinated, and exercised response plans. A poorly managed and inadequate response can negatively affect a company’s reputation, operations, business interests, and relationship with key regulators, partners, and local entities.

Internal or external experts, as well as independent consultants can assist in response plan audits to ensure compliance, accuracy, and effectiveness. All response plans within the corporate enterprise should address site-specific facility details, appropriate response processes, standardized company-wide best practices, and maintain location-specific regulatory compliance.

The response plan audit process, followed by exercises, can minimize the “lessons learned” transfer process knowledge gap among incoming personnel. Important threat identification, operational site specifics, and response process and procedural details may have gone unnoticed in the transition, potentially compromising safety and emergency response.

After an audit, new or unidentified risks should be slated for possible mitigation measures and regulatory gaps should be documented. However, if the risks cannot be eliminated, new countermeasure processes and procedures must be implemented and response plans adjusted accordingly. Important threat identification, operational site specifics, and response process and procedural details may have gone unnoticed in the transition, potentially compromising safety and emergency response.

Other business units or divisions outside headquarters’ domain may present additional preparedness and response challenges. Audits should be inclusive of cultural differences, infrastructure challenges, or security priorities that may heighten preparedness priorities and planning efforts. As a result, an expanding company may be particularly vulnerable to crisis or emergency response situations.

Audits should verify that response plans have been effectively developed for each potential scenario. In additional to specific operational hazards and site specific regulations, response planning may incorporate, but is not limited to the following:

Natural Disasters: Each geographic location is saddled with specific potential natural threats. If historically applicable, plans should address

  • Earthquakes
  • Hurricanes/typhoons
  • Sand/wind storms
  • Tornados
  • Floods
  • Tsunami

Security Breach: A security breach can affect multiple aspects of a company, from business continuity to the physical safety of employees. Plans may include response processes for:

  • Computer hacking
  • Catastrophic IT failure
  • Facility security measures
  • Civil unrest
  • Personnel/employee security

Industry/Sector Issues: As industry specific equipment, regulatory requirements, and technologies evolve, preparedness efforts should adapt to include safety processes, continuity procedures, and best practices for.

  • Supply disruptions
  • Regulations
  • Plan maintenance
  • Plan accessibility
  • Employee training
  • Exercises

Though preparedness, companies can minimize the effects of costly crisis and emergency situations, as well are potential regulatory fines. Timely resolutions with limited impact to the facility, employees, the environment, reputation, and the financial bottom line will allow companies to better position themselves for growth, prosperity, and longevity.

Interested in auditing response plans for effectiveness and compliance, download the "Audit Preparedness Guide for Industrial Regulatory Compliance".

Regulatory Compliance with TRP Corp

 

Tags: Response Plans, Regulatory Compliance, Emergency Management Program, Security plans, Safety

Cyber-Security for ICS Necessary in Business Continuity Planning

Posted on Thu, Nov 21, 2013

The 2013 Global Risk Report ranks cyber-attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber-attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for risk analysis, computer security, downloads, and backups in order to secure necessary integrated technologies. A recent report by The European Union Agency for Network and Information Security (ENISA) highlighted security concerns over Industrial Control Systems (ICS), including the widely utilized Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DSC), and programmable logic controllers (PLC). These concerns are echoed in recent publications by the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT).

ICS are often used to control industrial processes, such as manufacturing, product handling, production, and distribution, and is a necessary element to promote business continuity. The main concern expressed by ENISA and ICS-CERT is that prevalent industrial control systems are riddled with varying outdated and un-patched software, leaving them exposed and vulnerable to hackers and cyber-attacks. Mitigating this high risk is critical for maintaining continuity of operations.

Recent SCADA and ICS security incidents greatly emphasize the importance of vigilant observation, analysis, and control of SCADA infrastructures. The ICS-CERT quarterly newsletter entitled Monitor, stated that the response team responded to 198 incidents across all critical infrastructures in 2012. That number was surpassed by May 2013 with energy infrastructures comprising 53 percent of the targeted attacks.  That percentage was up from 41 percent in 2012.

Cyber-Security-response-planning.jpg

ICS-CERT urges operators to embrace coordination by sharing attack data, specifically indicators of system compromises, and established a secure portal to allow companies to actively engage in protecting critical infrastructure. Through the portal, ICS-CERT was able to identify 10 IP addresses that participated in a recent attack against a gas compressor station. The alert prompted other station owners to investigate their own networks and they eventually reported another 39 IP addresses associated with attacks.

According to ENISA, critical infrastructure companies should employ continual risk-based assessments of cyber security policies to prioritize and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements. ICS-CERT offers recommended practices, vetted by subject-matter experts, to bolster technology security. In addition to these recommended practices, identifying procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establishing technology and business continuity of critical business processes, in the event of an attack.  

There must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, security efforts, and response measure during cyber disruption events.  The ability to respond to critical incidents and identify root causes are key aspects in the ability to mitigate potential threats. With technology-based incidents, analyzing the deficiencies that led to IT downtime enables countermeasures to be implemented. ENISA offers four key areas that promote investigative capabilities that allow mitigated efforts: These key areas include:

  1. Facilitate integration with existing structures
    • Determine source of evidence of security breach
    • Clarify data retention impact on systems
    • Streamline operational and IT interfaces
  2. Safeguard systems and configurations
    • Deploy security controls
    • Ensure logging controls
  3. Review key roles and responsibilities
  4. Embrace partnership coordination and cooperation

 

Free resources from TRP Corp: Receive the Example Response Procedures Flow Chart

New Call-to-Action

Tags: ICS, Security plans, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Global EHS Response Planning, Preparedness, and Challenges

Posted on Thu, Aug 22, 2013

As companies expand operations and become more global, applicable location-specific threats and risks must be identified and incorporated into preparedness measures. Enterprise expansion requires environmental, health, and safety (EHS) managers and corporate regulatory teams to sharpen their global understanding of regulations, security needs, and associated components of emergency response plans and strategies specific to location of operations.

Whether a facility is domestically located or abroad, ensuring compliance and employee safety requires a streamlined, coordinated, and exercised response plan. All response plans within the corporate enterprise should address site-specific facility details, appropriate response processes, standardized company-wide best practices, and should maintain compliance with local, state, and federal regulations.

A poorly managed and inadequate response, whether an emergency on non-emergency incident, can negatively affect a company’s reputation, business interests, and relationship with key regulators, partners, and local entities. However, global branches outside headquarters’ domain may present additional preparedness and response challenges. Cultural differences, infrastructure challenges, or security priorities may heighten preparedness priorities and planning efforts. As a result, a multinational company may be particularly vulnerable to crisis or emergency response situations.

High-level crisis management responses may stem from either emergency or non-emergency situations. While necessary emergency responses likely affect the safety and health of employees and/or the facility infrastructure, non-emergency situations can arise that potentially impact company reputation and operational longevity. Response plans should be developed for each potential emergency or non-emergency scenario that could cause significant damage to local operations or company-wide. Crisis management or emergency response planning may incorporate, but is not limited to the following:

Environmental Stewardship: Disparity in international, country, state, county and corporate environmental standards.  Environmental regulations may vary regarding:

  • Facility or site requirements
  • Transportation
  • Hazardous spills
  • Equipment safety
  • Fire-fighting method
  • Gas releases

Natural Disasters: Each geographic location is saddled with specific potential natural threats.

  • Earthquakes
  • Hurricanes/Typhoons,
  • Sand/wind storms
  • Tornados
  • Flooding
  • Tsunami

Employee issues: While every facility must prepare for potential employee issues, global companies must pay specific attention to the following:

  • Cultural differences
  • Language barriers
  • Labor relations challenges
  • Workplace discrimination or harassment
  • Disgruntled workers
  • Health and safety disparagements
Marketing: Global markets and unethical business practices can create non-emergency scenarios resulting in the need for crisis management:
  • Price gouging
  • Supply availability
  • Recalls
  • Deceptive business practices

Security Breach: A security breach can affect multiple aspects of a company, from business continuity to the physical safety of employees.

  • Computer hacking
  • Catastrophic IT failure
  • Facility security measures
  • Civil unrest
  • Personnel/employee security

Corporate Governance: Corporate changes can initiate unrest, disrupt operations, and company reputation:

  • Mergers
  • Organizational restructuring
  • Downsizing
  • Facility closings
  • Management successions/promotions
  • Financial reporting integrity

Industry/Sector Issues: As industry specific equipment, regulatory advancements, and technologies evolve, preparedness should continually adapt to include safety processes, continuity procedures and best practices.

  • Supply disruptions
  • Punitive regulations
  • Equipment advancements

Illegal Activity: Faults in humanity may be intensified by location specific conditions, supply and demand, and/or greed. Preparedness measures should include business continuity and crisis management procedure for the following circumstances:

  • Extortion
  • Bribery
  • Fraud
  • Malfeasance
  • Criminal Investigation

Political/Social issues: As companies strive to be profitable, political and social issues can interfere with daily operations. Situations that may affect productivity include, but are not limited to:

  • Human rights
  • Terrorism
  • War
  • Political or social unrest
  • Economic disparity
  • Discrimination

Though preparedness, companies can minimize the effects of costly crisis and emergency situations. Timely resolutions with limited impact to the facility, employees, the environment, reputation and the financial bottom line will allow companies to better position themselves for prosperity and longevity. Additionally, strategic preparedness and a response focus across global entities can propel international EHS best practices and bolster worldwide economic stability.

To assist in Global EHS crisis management planning, click here for our free download.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Social Unrest, Crisis Management, Facility Management, Emergency Management Program, Security plans, Political Instability, Media and Public Relations, Workplace Safety

Terrorism, Security Planning, and Emergency Response Plans

Posted on Mon, Aug 19, 2013

In early August, the U.S. government took proactive measures to protect 22 embassies and consulates from terrorist activity by closing those facilities. In response to terrorism intelligence, U.S State Department spokesperson Jen Psaki stated, "This is not an indication of a new threat stream, merely an indication of our commitment to exercise caution and take appropriate steps to protect our employees, including local employees and visitors to our facilities."

The State Department statement highlights the needs for security planning for private, public, government, and industry facilities. Response planning should address applicable threat and risk assessments results and incorporate security measures and appropriate procedures to protect facility employees and visitors. Two key factors that must be considered in security planning include the specific nature of the threats and the available warning time allotted.

The move by the State Department reflected these two prime security response factors. "Once you take targets away, it buys you additional time to try and disrupt, to identify the cell, the operators in country and the region, and work with your partners in the region to try and ... get them in custody or disrupt the plot," she said. "So, some of this operationally is about buying time."

While many facilities may not be targets of a specific terroristic threat, facilities must be prepared to respond to such an event.  Companies should incorporate appropriate, site-specific responses to counteract the four major weapons associated with a terrorist attack. Specific roles and responsibilities of facility personnel, law enforcement, fire officials, and other first responders should be clearly described, reviewed, and updated as necessary.

Below details the FEMA identified four main weapon types most likely to be used by terrorists and associated response actions:

1. Conventional weapons (bombs and other explosive devices): The goal is to place inhabitants in a protected space and/or increase the distance from the potential explosive area. The following actions should be considered:

  • Use basement areas
  • Move to interior hallways away from windows
  • Shut off gas utilities
  • Evacuate personnel
2. Chemical weapons (poisonous gases, liquids, or solids): The following actions should be considered:
  • Secure doors/windows
  • Turn off all ventilation, including furnaces, air conditioners, vents, and fans
  • Seek shelter in an internal room
  • Make decisions based on reliable information from public safety officials on the location of the chemical release and wind speed and direction
  • Develop reunification procedures that minimize the penetration of airborne substances
  • Communicate with medical personnel (intervene as appropriate or instructed)

3. Biological agents These agents are organisms or toxins that have the potential to incapacitate people, livestock, and crops. They can be dispersed as aerosols, airborne particles or by contaminating food and water. These agents may not cause symptoms for days or weeks following an exposure. The following actions should be considered:

  • Mitigate exposure (includes getting everyone into buildings)
  • Secure avenues of penetration to include closing doors/windows and shutting down the heating ventilation, and air conditioning systems
  • Develop reunification procedures that mitigate risks
  • Develop a recovery plan in light of the highly contagious nature of these weapons
  • Communicate with medical personnel

4. Nuclear weapons (potential exposure to radiation) The overarching concern is to get individuals to a protected space or to increase the distance from the blast area. FEMA recommends taking shelter immediately as the three protective factors include distance, shielding, and time. Issues for consideration include, but are not limited to:

  • Potential magnitude
  • Emotional implications
  • Contamination
  • Casualties
  • Unavailability of emergency resources
  • Need for long-term sheltering
  • Hazard analysis (proximity to nuclear power plant, military installation, chemical plants)
  • Identification of at-risk persons or populations
  • Safe evacuation procedures and routes
  • Short-term and long-term recovery
For a free Response Procedures Flowchart, click here:
New Call-to-Action

Tags: Emergency Response Planning, Security plans, Terrorism Threat Management, Chemical Industry

Applying FEMA's Core Capabilites to Corporate EHS Programs: Part 2

Posted on Mon, May 13, 2013

FEMA has identified 31 core capabilities that should be incorporated into emergency management programs. Although the concepts are aimed at the public sector and governmental jurisdictions, companies can evaluate these elements for site specific applicability and implement appropriate elements to actualize corporate strategic and tactical environmental, health, and safety (EHS) goals.

In Part 2 of this series on core capabilities, we will explore the concepts relating to FEMA’s mission areas of prevention and protection, and the core concepts that fall under these areas.

PREVENTION

Preventionincludes those capabilities necessary to avoid, prevent, or stop a threatened or actual act of terrorism. It is focused on ensuring we are optimally prepared to prevent an imminent terrorist attack within the United States.”

Forensics and Attribution: “Conduct forensic analysis and attribute terrorist acts (including the means and methods of terrorism) to their source, to include forensic analysis as well as attribution for an attack and for the preparation for an attack in an effort to prevent initial or follow-on acts and/or swiftly develop counter-options.”

Companies must remain vigilant in preventing  terrorism. By prioritizing the analysis of on-site sources, such as chemical, biological, radiological, nuclear, and explosive material, companies can help to prevent initial or follow-on terrorist acts. Site-specific awareness training can broaden the scope of prevention by identifying potential sources and/or attributes associated with a terrorist attack.

PROTECTION

The following capabilities protect individual and critical corporate assets, systems, and networks against threats. EHS programs must institute these critical protective measures to promote business continuity. The ability to identify, quantify, and secure critical business processes that, when not functional, may damage a company’s reputation or ability to operate, is a critical stage in the business continuity planning process.

Access Control and Identity Verification: “Apply a broad range of physical, technological, and cyber measures to control admittance to critical locations and systems, limiting access to authorized individuals to carry out legitimate activities.”

Cybersecurity: “Protect against damage to, the unauthorized use of, and/or the exploitation of (and, if needed, the restoration of) electronic communications systems and services (and the information contained therein).”

Physical Protective Measures: “Reduce or mitigate risks, including actions targeted at threats, vulnerabilities, and/or consequences, by controlling movement and protecting borders, critical infrastructure, and the homeland.”

Risk Management for Protection Programs and Activities: “Identify, assess, and prioritize risks to inform Protection activities and investments.”

Supply Chain Integrity and Security: “Strengthen the security and resilience of the supply chain.”

PREVENTION/PROTECTION

Intelligence and Information Sharing: “Provide timely, accurate, and actionable information resulting from the planning, direction, collection, exploitation, processing, analysis, production, dissemination, evaluation, and feedback of available information concerning threats to the United States, its people, property, or interests; the development, proliferation, or use of WMDs; or any other matter bearing on U.S. national or homeland security by Federal, state, local, and other stakeholders. Information sharing is the ability to exchange intelligence, information, data, or knowledge among Federal, state, local, or private sector entities, as appropriate.”

Intelligence and information sharing are important components of the Incident Command System. Capitalizing on lessons learned enables companies to improve methodology based on actual experiences. To advance an EHS program, managers should include cyclical plan reviews to allow lessons learned to be implemented into preparedness, training and exercises.

Interdiction and Disruption: “Delay, divert, intercept, halt, apprehend, or secure threats and/or hazards.”

Companies  must  establish consistent protocols and regulatory compliance measures to maintain safe operations and minimize exposures. This includes proper and secure handling and disposal of hazardous materials capable of bringing harm to individuals, assets, or the environment. The objective is to remain vigilant in order to prevent potential threats, including terrorism.

Screening, Search, and Detection: “Identify, discover, or locate threats and/or hazards through active and passive surveillance and search procedures. This may include the use of systematic examinations and assessments, sensor technologies, or physical investigation and intelligence.”

Companies must be keenly aware of any operations that can potentially targeted or used in a terroristic manner. Proper identifications of materials and individuals, as well as security protocols must be reviewed to guard against potential harm.

The next blog, Part 3 of the series, will address the core capabilities related to mitigation.  To begin reading Part 1 of this series, click here.

For an understanding of the necessary elements in creating an effective fire pre plan, download our Fire Pre Planning Guide.

TRP Fire Pre Plan Image

Tags: Resiliency, Security plans, Cyber-Security, Terrorism Threat Management, Safety, Political Instability, Insider Threat

Maritime Security Training Requirements

Posted on Thu, Mar 07, 2013

Vulnerability assessments may reveal that certain waterfront facilities are considered “high-risk” to security breaches and associated threats. The main goal of security assessments is to identify and limit security risks to your facility, equipment, and personnel. Being able to identify and quantify risks at waterfront facilities allows companies to establish policies and procedures that can minimize the risk and consequences of security threats, and provide increased safety.

Marine Transportation Security Act  (MTSA) requires “any structure or facility of any kind located in, on, under, or adjacent to any waters subject to the jurisdiction of the United States to conduct a vulnerability assessment and prepare and submit a security plan to the Secretary of Homeland Security based on the assessment.” This law is the U.S. equivalent of the International Ship and Port Facility Security Code (ISPS), and was fully implemented on July 1, 2004. Security plans may include, but are not limited to:

  • Passenger, vehicle, and baggage screening procedures
  • Security patrols
  • Establishing restricted areas
  • Personnel identification procedures
  • Access control measures
  • Installation of surveillance equipment.

A facility that is deemed high risk must assign a Facility Security Officer (FSO) and conduct appropriate training. According to CFR 33 part 105, Maritime Security for Facilities, companies with multiple portside locations can assign a single employee as the FSO for all sites, as long as those facilities are in the same Captain Of The Port (COTP) zone and are within 50 miles of each other. The FSO may also perform other duties within the company, but they must be able to perform the duties and responsibilities required of the FSO.

A security plan is required to describe the training, drills, and security actions of persons at the waterfront facility. These actions should deter, to the maximum extent practicable, a transportation security incident, or a substantial security threat. As per §105.210, facility personnel with security duties should be trained in the following:

  • Knowledge of current security threats and patterns
  • Recognition and detection of dangerous substances and devices
  • Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
  • Techniques used to circumvent security measures
  • Crowd management and control techniques
  • Security related communications
  • Knowledge of emergency procedures and contingency plans
  • Operation of security equipment and systems
  • Testing, calibration, and maintenance of security equipment and systems
  • Inspection, control, and monitoring techniques
  • Relevant provisions of the Facility Security Plan (FSP)
  • Methods of physical screening of persons, personal effects, baggage, cargo, and vessel stores
  • The meaning and the consequential requirements of the different Maritime Security (MARSEC) Levels
  • Familiar with all relevant aspects of the TWIC program and how to carry them out

All other facility personnel, including contractors, whether part-time, full-time, temporary, or permanent, must have knowledge of, through training or equivalent job experience, in the following, as appropriate:

  • Relevant provisions of the Facility Security Plan (FSP)
  • The meaning and the consequential requirements of the different MARSEC Levels as they apply to them, including emergency procedures and contingency plans
  • Recognition and detection of dangerous substances and devices
  • Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
  • Techniques used to circumvent security measures
  • Familiar with all relevant aspects of the TWIC program and how to carry them out.

The MTSA requires that facilities with a higher risk of involvement in a transportation security incident perform certain tasks in order to continue operating in the United States. Facilities must be able to present a Facility Security Assessment (FSA) Report and Facility Vulnerability and Security Measures Summary (Form CG-6025).  If these items are not included in the Facility Security plan, Coast Guard Inspectors will not approve the plan.

For an understanding of the necessary elements in creating an effective fire pre plan, download our Fire Pre Planning Guide.

TRP Fire Pre Plan Image

Tags: Dock Operations, MTSA, Training and Exercises, Security plans

USCG Requirements and Responsibilities of Facility Security Officer

Posted on Mon, Sep 17, 2012

This summer, 22 nations, more than 40 ships and submarines, over 200 aircraft and 25,000 personnel participated in the Rim of the Pacific (RIMPAC) exercise in and around the Hawaiian Islands. The biennial exercise is designed to establish and sustain cooperative relationships to ensure the safety of sea-lanes and security on the world's oceans. This exercise emphasizes the importance of the US Coast Guard’s Maritime Transportation Security Act of 2002 (MTSA) for U.S based marine-transportation related facilities by prioritizing safety and security.

The MTSA requires marine-transportation related facility owners to be responsible for facility security. The Act requires vulnerability assessments and security plan approvals.  The marine transportation security aspects regulated by the USCG covers the entire facility, not just the transfer or “dock” area.

However, not all port located facilities are affected by the MTSA regulations. The MTSA requires that those facilities deemed “high risk” for transportation related security incidents must comply with regulations in order to continue operations. “High risk” facilities that mandate compliance with MTSA requirements are those that perform the following:

  • Handle explosives, liquefied natural or hazardous gas, or other Certain Dangerous Cargoes (CDC)
  • Transfer oil or hazardous materials
  • Handle vessels covered by Chapter XI of the International Convention for the Safety of Life at Sea (SOLAS)
  • Handle passenger vessels certified to carry more than 150 passengers (if vessels actually embark or disembark passengers there)
  • Handle cargo vessels greater than 100 gross registered tons
  • Handle barges that carry cargoes regulated by 46 CFR, chapter I, subchapter D or O, or CDCs.

A facility that is deemed high risk must assign a Facility Security Officer (FSO). According to CFR 33 part 105, maritime security for facilities, a single employee may serve as the FSO for more than one facility, as long as the facilities are in the same Captain Of The Port (COTP) zone and are within 50 miles of each other. The FSO may also perform other duties within the company, but they must be able to perform the duties and responsibilities required of the FSO. The FSO must ensure and oversee the following duties:

  • Facility Security Assessment (FSA)
  • Facility Security Plan (FSP) is developed and implemented
  • Annual audit, and if necessary, update the FSA and FSP
  • The FSP is exercised per §105.220
  • Regular security inspections
  • Security awareness and vigilance of the facility personnel
  • Adequate training to personnel performing facility security duties
  • Security incidents are recorded and reported to the owner or operator
  • Documentation of maintenance
  • Preparation and the submission of any reports
  • Any required Declarations of Security with Masters, Vessel Security Officers or their designated representatives
  • The coordination of security services in accordance with the approved FSP
  • Security equipment is properly operated, tested, calibrated, and maintained
  • The recording and reporting of attainment changes in MARSEC Levels to the owner or operator and the cognizant COTP
  • When requested, provide assistance to the Vessel Security Officers in confirming the identity of visitors and service providers seeking to board the vessel through the facility
  • Timely notification to law enforcement personnel and other emergency responders of any transportation security incident
  • The FSP submittal to the cognizant COTP for approval, as well as any plans to change the facility or facility infrastructure prior to amending the FSP
  • Facility personnel are briefed of changes in security conditions
  • Proper implementation of the Transportation Worker Identification Credential (TWIC) program, if necessary.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: USCG, MTSA, Security plans, Department of Homeland Security, Terrorism Threat Management, Chemical Industry

Benefits of C-TPAT - Customs-Trade Partnership Against Terrorism

Posted on Thu, Sep 22, 2011

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary supply chain security program, led by U.S. Customs and Border Protection (CBP). Its goal is to improve the security of private companies' supply chains with respect to terrorism.

The C-TPAT program recognizes that CBP can provide the highest level of cargo security only through close cooperation with the owners of the international supply chain such as importers, carriers, consolidators, licensed customs brokers, and manufacturers. CBP asks businesses to ensure the integrity of their security practices, and communicate and verify the security guidelines of their business partners within the supply chain. This worldwide supply chain security initiative enables companies to ensure a more secure and expeditious supply chain for their employees, suppliers and customers.

C-TPAT participating importers tend to see a decrease in cargo exams, which in turn, decreases costs. Import shipments, subjected to U.S. Customs examinations, face increased costs in the form of U.S. port examination charges, container stripping charges, cargo transfer and storage charges, and other detention charges. Fewer exams mean fewer costs and an immediate savings on the corporate bottom line.

By joining the C-TPAT program, an importer is also eligible to join the Importers Self Assessment (ISA) program. The ISA program allows an importer to conduct an annual internal self-assessment of their own compliance profile and to determine and address risk areas and corrective action elements within their regulatory compliance profile. Members of the ISA program are removed from the Focused Assessment Audit schedule conducted by the Office of Strategic Trade and Regulatory Audit division of CBP.

The CBP provides an informational guide as a stepping-stone to build an international supply chain security risk assessment. The guide is not "all inclusive" of what should be incorporated, as the security assessment should be based on site risk ratings, supply chains, and company specific business practices.

The 5 Step Risk Assessment Process includes:

1.) Mapping Cargo Flow and Identifying Business Partners (directly or indirectly contracted). Identify ALL parties involved in the following processes:

  • Procurement
  • Production
  • Packing
  • Storage
  • Loading/Unloading
  • Transportation
  • Document Preparation

2. Conducting a Threat Assessment focusing on: Terrorism, Contraband Smuggling, Human Smuggling, Organized Crime, and conditions in a country/region which may foster such threats and rate threat – High, Medium, Low: Identify and rate the risk of threat for the country and region for each international supply chain, using the following (at a minimum):

  • Terrorism (political, bio, agro, cyber)
  • Contraband Smuggling
  • Human Smuggling
  • Organized Crime
  • Conditions fostering above threats

3. Conducting a Vulnerability Assessment in accordance with C-TPAT Minimum Security Criteria and rate vulnerability – High, Medium, Low: For all business partners in the international supply chain (directly contracted or sub-contracted):

  • Identify the process they perform
  • Verify partners meet applicable minimum-security criteria
  • Rate their compliance within each applicable minimum-security criteria category

4. Preparing an Action Plan: Establish a corrective action plan to address gaps or vulnerabilities found in business partner’s security programs.

5. Documenting How Risk Assessments are conducted: A description of the company’s approach, policies, and procedures for conducting an international supply chain security risk assessment.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: Regulatory Compliance, Security plans, Chemical Industry