This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the reporting of the existing security information at the facility. The previous blogs in this series are listed below.
Most high-risk chemical facilities already have taken some steps to secure the facility against terrorist attack. This section of the SVA looks at the existing equipment, processes and procedures that are currently in place to reduce the vulnerability of the COI at the facility as well as off-site features that might increase that vulnerability. The inclusion of a security measure on the SVA Tool does not imply that such measures will be required in the Site Security Plan.
Security Equipment at the Facility
This portion of the SVA requests information about security equipment at the facility. This would be equipment that might reduce the vulnerability of COI and applies across the entire facility. Three data entry boxes are provided; Equipment, Location, and Support Systems Required.
The Equipment box has a pull down menu that provides a list of typical security equipment. The Preparer will select an appropriate type of equipment. Entries will then be made in the Location and Support Systems Required boxes for that equipment. Once that information is entered the “ADD” button will be pushed. If the facility’s security equipment is not listed in the pull down menu, a blank equipment box is available for listing that equipment.
Unfortunately the pull down menu (according to the CSAT SVA Questions manual) does not include a number of typical types of security systems. Additional security equipment might include:
- Perimeter Fencing
- Secondary Fencing around COI Storage Areas
- Blast walls or berms
- Vehicle Barriers
- Chemical Detection Equipment
Utility Systems and Infrastructure Support
If a facility reports and security equipment that requires utility or infrastructure support the Preparer is required to enter data about the location of those utilities. Two data entry boxes are provided; System/Infrastructure and Location.
The System/Infrastructure box has a pull down menu listing typical utilities that would provide support for security systems. The Preparer will select an appropriate utility and then fill in the location box for that Utility. Once that information is entered the “ADD” button will be pushed. If the facility’s supporting utility or infrastructure is not listed in the pull down menu, a blank System/Infrastructure box is available for listing that equipment.
Inventory Control Measures
For facilities that have one or more Theft/Diversion security issues listed on their DHS initial notification letter there will be a section for inventory control measures on their SVA. This section will deal with a variety of inventory control techniques that might be useful at reducing the vulnerability to theft or diversion of these chemicals.
The Preparer will first enter a name for each inventory control measure into a data entry box, pressing the “ADD” button when each entry is completed. Once all control measures are listed additional questions will be asked about each measure. Those questions are:
· Is the inventory procedure automated? (Yes/No – No Default)
· Frequency Applied? (pull down menu)
· Location? (data entry box)
· Inventory Procedure? (checklist, check all that apply)
· List of COI procedure applicable to? (Yes/No – No Default)
Personnel Access Control Measures
If a facility has procedures in place that control or limit access to the facility that might limit the facilities vulnerability to attack. This section looks at such control measures that are already in place at the facility.
The Preparer will select from a drop down list the personnel access control systems in place at the facility. If the control measure in place is not described in the options provided a data entry box is available for naming that system. The available options are:
· Personnel recognition by officer – no badges or pictures used.
· Manual badge validation by officer – officer looks at badge or identification
· Biometric validation – biometric device used to verify identity
· Computerized access with no validation – swipe or proximity card with no guard or computer validation (password, etc)
· Personnel access allowed on foot only – passenger vehicles not allowed in facility
· Visitor access clearance and badging
· Visitors require advance registration – a list at entrance control point
· Visitors require full time escort
Additional information will be required for each control measure. This information includes:
· Is the control measure automated? (Yes/No checklist)
· Frequency Applied? (checklist – select one)
· Location? (data entry box)
· Personnel Covered? (data entry box)
Unfortunately this section does not recognize that personnel access controls at many facilities change at different times of the day or week. During off-shifts there may be no guard at the entrance, it is normally left closed. On shift personnel will provide necessary access when required. In that case most facilities will probably want to complete this portion with information for normal daytime operations.
Shipping and Receiving Control Measures
This is another set of questions that will only show up if a facility has a theft/diversion security issue listed on their initial notification letter from DHS. The SVA question asks if the facility has any shipping and receiving measures that could reduce the vulnerability to an attack. Keep in mind that the kind of attack envisioned here would be the diversion of these COI.
The Preparer will enter the name of the control measure in a data entry box. After pushing the “ADD” button to enter that name a list of questions will appear for that control measure. Those questions include:
· Automated? (Yes/No)
· Frequency Applied? (Pull down menue)
· Location? (Data entry box)
· Control Measure Feature? (Checklist, check all that apply)
· COI Covered? (Checklist, check all that apply)
Post-Release Measures and Equipment
For facilities that have one or more Toxic Release security measures there will be a section on the SVA Tool asking about post release measures that might mitigate the effects of a successful attack. This does not include single asset measures like dikes around storage tanks. It is looking for items like community warning systems or evacuation plans.
The Preparer will use a pull down menu to select a measure. If the facility’s measure is not listed there is a data entry box for additional measures. When the “ADD” button is pushed additional questions will appear for that measure. Those questions include:
· Location? (Data entry box)
· Support Systems Required? (Data entry box)
Site Vulnerability Factors
All facilities will see the question about additional site related factors may increase the sites vulnerability to attack. These would include off-site terrain and infrastructure items. These could be items that make it easier for surveillance to be conducted without observation or make it harder for police and emergency personnel to respond to an attack.
The Preparer will list each vulnerability in a data entry box. After the “ADD” button is pushed a Comment data entry box will appear to allow recording any additional information about that site vulnerability.