Tuesday, January 22, 2008

Getting ready for Security Vulnerability Analysis

Today is the last day to complete Top Screens so it is a good time to look at taking the next step. Those facilities that have been told that they “may be regulated” have to start getting ready to prepare their SVA. While the details of the DHS guidelines for the SVA have yet to be published, there are some steps that can be taken to get ready to prepare any form of SVA

First the SVA team needs to be selected. There is no required number of people that have to be on the team, but there are certain skills that will be necessary. The CCSP Guidelines for SVAs provides a list (pg 46) of the minimum knowledge and/or skills needed to complete an SVA.

            ·         “Security vulnerability analysis procedures and methodologies”

·         “Security procedures, methods and systems”

·         “Process safety including PSM and RMP requirements and programs (as appropriate)”

·         “Knowledge of the facility (and site) under study including:

v  “Potential hazards associated with the process chemistry, raw materials, finished goods, and the physical location of each”

v  “Process and equipment design bases”

For facilities that have done PSM or RMP process reviews should be able to use similar a similar team to do an SVA. It does have to be stressed that a Process Hazard Analysis (PHA) is not the same thing as an SVA. The main difference is that an SVA looks to determine what a determined, educated adversary can cause to go wrong with the safety and security systems of a facility.

The following skills should also be considered  (pg 47) when looking for team members:

·         “Military doctrine, especially in terrorism, weapons, targeting and insurgency/guerilla warfare and knowledge of weapons of mass destruction (WMD)”

·         “Adversary characteristics and capabilities knowledge, especially of transnational terrorist groups”

·         “Safety and industrial hygiene”

·         “Environmental engineering”

Most chemical facilities do not have security professionals on staff. One of the questions that must be answered early in this process is where to get that security knowledge. An obvious source is to look for a security consultant that has some experience in the chemical industry. A less obvious source would be to look for personnel working on site that have military experience with security.

The team members will be handling and preparing Chemical Vulnerability Information (CVI) so they need to take the online training program and get certified as being authorized access to CVI. If an outside consultant is going to be used, the CVI training of that individual can be confirmed with DHS. Internal procedures will have to be developed for marking, handling and securing CVI.

The other thing that team members need to do is to become familiar with the SVA process. Once again, pending the publication of the DHS procedures, a good place to start is by reading the CCPS book. This book can be bought online. Other approved SVA process descriptions can be downloaded from the CCPS site.

No comments:

/* Use this with templates/template-twocol.html */