Wednesday, November 19, 2008

RBPS Guidance – Security Procedures, Policies and Plans

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the discussion of security procedures policies and plans found in Appendix C. Earlier blogs in this series include: RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards RBPS Guidance – RBPS Metrics RBPS Guidance – Physical Security Measures There are a number of different procedures, policies and plans that contribute to a comprehensive security plan. Individually they will detail how a facility will deal with a wide variety of security related tasks. The section in Appendix C (page 157) lists seven such tasks, or security measures:
(1) Inventory Controls/Product Stewardship; (2) Managing Control Points; (3) Screening; (4) Personnel Surety (i.e., Background Checks); (5) Exercises and Drills; (6) Training; and (7) Responding to Elevated Threat Levels
There is a short description of the task, a brief review of the security considerations affecting the task and a listing of the RBPS that they support. Finally there is a list of resources available on-line or in print for further information. Inventory Control Keeping track of the inventory of chemicals at a chemical facility and controlling the use of those chemicals is an important business process and a significant means of managing costs. At high-risk chemical facilities the application of those control procedures to chemicals of interest (COI) also forms an important part of the security procedures for facilities. This is especially true for theft/diversion COI. This is just about all that the discussion in Appendix C covers. Managing Control Points Managing control points is actually an extension of the perimeter barriers discussion under Physical Security Measures. Control points are those places where people are allowed through the facility or secure area perimeters. The bulk of the discussion in this section deals with controlling vehicles. Screening Screening is the process of identifying and inspecting people and vehicles that enter the facility at the designated control points. This section includes a discussion of the variety of types of personnel identification that might be used to control access to the facility including government issued ID, corporate issued ID or facility issued ID as well as identification techniques for vehicle authorized access to the facility. This section also includes a brief description of the search techniques that could be employed to search personnel and vehicles. The discussion in this section is fairly extensive, but it does not provide much depth. There is no discussion of the pros and cons of the various techniques listed. Even in the ‘considerations’ section there is little more than a listing of physical and environmental factors that must be taken into consideration. That listing does not even sound as if it applies to the screening techniques listed. It sounds more like it should belong in the physical security section of Appendix C. Personnel Surety Without a doubt the most extensive and useful discussion in this section of Appendix C deals with background checks. This may be because “DHS believes personnel surety to be a key component of a successful chemical facility security program, with the level of screening commensurate with the access provided” (page 164). There is a detailed listing of the different types of background checks that can be done with a brief discussion what each type requires in the way of personnel information and what information that a facility might expect to obtain from that particular type of check. The evaluation of data obtained from these checks is probably the most controversial aspect of the use of background checks. DHS provides (page 168) a listing of ‘anomalies’ that might be ‘significant’ if turned up in a background check. Just as importantly, they provide a listing of things to take into account when deciding what information justifies not allowing an employee to have unaccompanied access to sensitive areas of the facility. The one thing that is lacking is a discussion of how a facility deals with an employees disagreement with ‘adverse information’ found on the background check. The discussion does not address the fact that none of these systems used for conducting checks is error free. Any personnel surety program needs to address how the facility will deal with allegations of incorrect information. There is also a brief discussion about how a personnel surety program deals with visitors. The option of completing a background investigation is not practical or legal, but some level of vetting is required. Even though visitors will be escorted when ever they move through the facility, their business at the facility will still be verified before allowing them even escorted access. Exercise and Drills There is a very good discussion of how drills, exercises and tests are used in training and evaluating how teams will work together in a variety of emergency and security situations. What is missing is any kind of discussion on how drills, exercises and tests are designed and executed. Nor is there any discussion of how individual skill training fits into this picture. Training There is a very good discussion of how a facility training program should be tailored for both different categories of employees and for the risk ranking of the facility. The discussion includes a table (Table A-5, pgs 173-4) of ‘possible’ training requirements for the Site Security Officer (and assistant), Personnel with Security Responsibilities and everyone else. There is another table (Table A-6, pgs pg 174) that shows a reasonable (but remember, not required) schedule for conducting training, drills and exercises. Editorial Comments ‘Editorial’ in this case is not commentary, but comments by an editor. This section of Appendix C is poorly put together, with many entries put in the wrong place in the document. For example: The second paragraph under Managing Control Points (page 158, starting “Because control systems are not self-administering…) belongs in the discussion of the Inventory Control Measures. The entire ‘Layered Security Measures’ section under ‘Security Considerations for Screening’ (page 162) has nothing to do with screening. It probably belongs with the earlier discussion under ‘Physical Security Measures’. The entire ‘Physical and Environmental Considerations’ section under ‘Security Considerations for Screening’ (page 162) belongs with the ‘Monitoring and Intrusion Detection’ section under ‘Physical Security Measures’, as does the entire ‘Command and Control’ section at the top of page 163. The entire ‘Training’ section should come before the ‘Drills and Exercise’ portion of the discussion since drills and exercises are an extension of the training as is made clear in the discussion. Under the heading of ‘Performance Standards Affected by Training’ on page 175 the sentence starting “The implementation of monitoring systems…” belongs under the ‘Monitoring’ discussion. Finally, there is no discussion of ‘Responding to Elevated Threat Levels’ that was listed in the introduction to the ‘Security Procedures, Policies, and Plans’ section of Appendix C.

No comments:

/* Use this with templates/template-twocol.html */