Friday, November 7, 2008

RBPS Guidance – 18 Risk Based Performance Standards

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the general layout and content of the Risk Based Performance Standards Earlier blogs in this series include:
RBPS Guidance – Introduction RBPS Guidance Shortcomings
The bulk of the Guidance document consists of a detailed discussion of each of the eighteen separate risk based performance standards. A listing of the RBPS can be found in 6 CFR Section 27.230. Table 1 of the Guidance document (pages 9-11) duplicates that listing. Organizing the Discussion Each RBPS is presented in a separate chapter. Each of the eighteen chapters has a common format with four sections. Those sections are:
Introductory Overview Security Measures Considerations RBPS Metrics
The introduction to the RBPS Guidance document (page 12) provides a look at the purpose of each of these sections. We will look at each section in turn. Introductory Overview This section generally describes the RBPS. It will also provide some definitions of any ‘terms of the art’ that are used in the subsequent discussion of that RBPS. This overview runs from a single paragraph (RBPS #3 for example) to a couple of pages (RPBS #1 for example). The shorter overviews provide little useful information, but even the longest discussion hardly provides an adequate introduction to personnel unfamiliar with security processes. For an example of one of the shorter and less helpful overviews can be found in the discussion of RBPS #6 (page 65):
“Theft or Diversion establishes performance standards focused on preventing the heft or diversion of potentially dangerous chemicals, such as chemicals of interest (e.g., chemical weapons, chemical weapons precursors, explosives, explosive precursors, or other chemicals of interest that could be used to inflict harm at a facility or off-site).”
Security Measures This section looks at the various things that a facility might employ or procedures that a facility might use to address the RBPS. It will contain a general overview of the security measures. It may also contain a listing of some of the specific security measures that a facility might employ. Again, anyone expecting an exhaustive listing of techniques and procedures will be greatly disappointed. This is a high-level introduction at best. The discussion of cyber security measures (RBPS 8) is clearly the most extensive. It provides a more comprehensive listing of security measures, but the discussion provides little actionable information. An example of the discussion provided for a cyber security measure (page 77) is provided below
“Remote Access and Rules of Behavior. Remote access (e.g., via the Internet, Virtual Private Network, modems) occurs when users (e.g., employees, vendors, maintenance personnel, and others) access or communicate with a cyber system outside of a facility where that cyber system resides. Rules of behavior are often established by the facility and made available to all cyber system users. Those rules typically describe user responsibilities, expected behavior with regard to information system usage (e.g., appropriate web sites, conduct of personal business), including remote access activities.”
Considerations The RBPS overview includes ‘Considerations’ in the same section as ‘Security Measures’. It is true that they are included under a common heading, but each is separated under their specific heading in each RBPS discussion. This makes it a distinctive section in my mind and I’ll treat it as such. The intent of this section is supposed to be to provide the facility with a discussion of the factors that the security management team will want to consider when deciding how the facility will address that particular RBPS. As was seen in the Security Measure section the information provided in this section is uneven through out the document. The best discussion is found for RBPS 1 (page 25) & 2 (page 35) (actually identical discussions). Once again this is a high-level discussion without a great deal of detail. The information goes quickly downhill from this level of quality. Here is an example of one of the poorer discussions. It is taken from RBPS 7, Sabotage (page 72).
Layered Security “Completely adequate protection is rarely achievable solely through implementing a single security measure. Rather, an appropriate security solution typically depends upon the use of multiple countermeasures providing “layers of security” for protection. This may include not only the layering of multiple physical protective measures, but also the effective integration of physical protective measures with procedural security measures, including procedures in place before an incident and those employed in response to an incident.”
RBPS Metrics Potentially the most valuable section in each discussion, the RBPS Metrics provides ‘narrative summary of the security posture of a hypothetical facility at each tier in relation to this RBPS’. There is a summary section providing metrics for the overall implementation of the RBPS. Then there is an individual metric for each of the security measures addressed in the RBPS. The information is presented in tabular form with an entry for each Tier level ranking. The term ‘metric’ implies that this would be a measuring device that the facility security management team could use to evaluate the effectiveness of how well their implemented security measures address the RBPS. In keeping with the Congressional mandate not to mandate security measures these metrics are defined in qualitative terms rather than quantitative terms. Again, this section like all others in this document is itself implemented unevenly. Most of the sections provide useful discussions of how to evaluate that security measure or RBPS. There are a number of places where the metric does not distinguish between Tier levels and provides little useful information. For example, this (page 98) is the Summary level metric for the Training RBPS (#11). It covers all four Tiers.
“The facility has a security awareness and training program for all facility personnel that includes drills and exercises designed to test and improve performance of aspects of the Site Security Plan and its supporting implementing procedures.”

No comments:

/* Use this with templates/template-twocol.html */