Thursday, September 9, 2010

Reader Comment 09-08-10 Security Training

Yesterday Don Greenwood of Greenwood Security left some comments on my recent post about the DHS Chemical Security Awareness Training Program. He addressed some of the things that his company considers to be important in addressing security training issues. It is certainly worhtwhile reading his entire comment, but I want to address a specific issue here; the different types of training with which facilities need to concern themselves.

Levels of Training

Don quite correctly points out that there are different training requirements for different people working at either the CFATS or MTSA facility (though I’m not sure that there is currently enough similarities in to two programs to allow a given training program to serve both types of facilities). Don identifies three levels of training; I’m going to make some changes to Don’s descriptions of these levels for this discussion. I think that we are looking at the same types of training, but the labels are now my fault. Those levels of training are:

● Security management
● Active participants in the security program
● All other facility personnel
Security Awareness Training

All covered-facility personnel (employees and contractors) need to receive the same security awareness training. Most of this training will be a generic look at how terrorists operate, their need to acquire intelligence about the facility and the three classic techniques used to acquire that information; surveillance, infiltration and subornation. Canned programs like the DHS Chemical Security Awareness Training, or any of the publicly available versions of Seven Signs of Terrorism produced by a variety of State law enforcement organizations could be used for this generic look at terrorism.

After the generic presentation is completed, someone from management (preferably the person responsible for the facility security program) should follow-up with a brief presentation about the specific threats faced by that facility. For most facilities there won’t be any details about specific groups targeting the facility so this portion will probably focus on the various chemicals of interest (COI) found at the facility. This discussion would also include types of attacks that the facility is addressing in their security plan. Details about the security plan would not typically be addressed.

This training would address the issue of critical assets at the facility and how restricted areas are used to protect those assets. The concept of ‘unaccompanied access’ should be explained with an emphasis that is only granted to those that need the access and that failure to be granted such access is not an indication that the individual is not trusted by facility management.

Finally, this training must address how individuals would report any security concerns that they have and how they would report suspected surveillance or attempts by unusual people to obtain information about the facility. Personnel need to be clearly advised to report such incidents and not to attempt to take action on their own.

Security Program Training

The next level of training is for those people who have specific duties under the security plan for the facility. The training must address the specific requirements that they must be able to fulfill. Because of the wide variety of tasks that go into a security plan this may be the hardest part of the training program to put together. Unless the facility has a very large training budget (not likely in today’s economy), training program development is going to have to focus on grouping similar job tasks together. This will also allow for some cross training.

For example improvised explosive device recognition is an important task that would be appropriate to gate guards, bulk unloaders, and whom ever checks incoming railcars. Basic cyber security procedures would be covered with all personnel who have access to networked computers. Detection of fraudulent chemical orders would be covered with the sales force, order takers, and shipping personnel.

Some of this training can be done with commercially available training programs (like the IED recognition training), but most of it is going to have to be developed specifically for the facility. There are many organizations like Don’s that will prepare this type of training for a facility. This custom training development can be quite expensive unless the company being used can adapt already existing training that they have on hand to the specific facility requirements.

Don’t forget government provided training like the Chemical-Terrorism Vulnerability Information (CVI) training/certification provided by DHS. I have heard of a number of different training organizations and consultants that have developed their own CVI training programs. I don’t want to slight these programs (especially sight unseen) but why would you want to pay for such programs when you have to use the DHS program to get people registered to handle CVI material in any case? Having a couple of people (a primary and a backup) take a CVI course that focuses on management of the CVI program does make some sense, particularly for larger facilities.

The security program training for a facility is not going to happen overnight. Because of the cost of effective training programs, security planners are going to have to take a long hard look at their training program. For most facilities the first iteration of the training necessary to satisfy regulatory requirements is going to have to be informally developed and conducted in house. Department meetings discussing the new security requirements should be documented as training activities.

The more detailed, and costly, training requirements that I discussed earlier are going to have to be identified, prioritized and budgeted. The documentation of this training planning is as important as the documentation of the training that has been conducted. Both will be looked at during compliance inspections.

Security Management Training

Don’s comments identify this as the training for the FSO (an MTSA term) or the Site Security Officer (a CFATS term) and imply that it is for a single individual. For some smaller facilities this is probably true. While all facilities will have a single person who is responsible for the whole security program, larger facilities are more likely to have a number of individuals responsible for individual components of the plan. Typically there will be a person responsible for cyber security (or maybe two people; one for IT and one for control systems) and one for security guards.

Remember, for any of these duties that are outsourced (like security guard management), it is still the facility that is responsible to DHS (Coast Guard or ISCD as appropriate) to ensure that this outside agency meets and documents it security training requirements. The contract with these agencies needs to specify that they will provide the appropriate records to document that training in the event of a security inspection.

The training for the security management team will almost certainly have to be farmed out to outside agencies. Typically this is going to include physical attendance at a variety of training courses. The use of on-line training is becoming much more common. Such training is conducted by many organizations (industry associations are a good source) and many consultants and security management firms have developed in-house training programs for their customers.

Don’t forget the availability of FEMA’s Emergency Management Institute. There are a number of distance learning courses available here that deal with incident management. This is a key part of security training that is often overlooked; mistakenly assuming that security is just about preventing incidents.

No comments:

 
/* Use this with templates/template-twocol.html */