Tuesday, October 26, 2010

Security Policy

There is an interesting article over on SecProdOnLine.com about the CFATS process based upon a presentation made at the recent ASIS meeting in Dallas. The author makes a number of observations about the CFATS process, but one of the more important points is described this way: “Saad [Michael Saad, CPP, senior director of consulting services at Huffmaster Crisis Response LLC] explained that planned security measures must be written into company policy and procedures.”

Establishing an effective site security plan under CFATS is going to require the development of a number of new security procedures and policies. It is also going to require an in depth review of all current policies to ensure that they support the security plan.

Personnel Policies

CFATS regulations require a facility to have a background check program in place for facility personnel. This program needs to be integrated into corporate personnel policies. Hiring policies need to reflect the requirement to be able to pass a background check. Job postings, both internal and external, will need to note this requirement.

Companies that have both CFATS covered facilities and facilities that are not designated high-risk facilities will have to make the decision as to whether or not the background check requirements will apply to personnel not assigned to CFATS facilities. That decision will have to include consideration of the fact that many corporate jobs (IT, order processing, etc) will support security procedures at covered facilities; those personnel should also be covered by the background check procedures.

Disciplinary policies will need to be reviewed to determine how security violations will be treated under those policies. Procedures will need to provide for immediate dismissal for some types of violations. These need to be clearly delineated and carefully considered. Immediate dismissal polices certainly need to be reviewed by legal personnel.

Contractor Policies

CFATS facilities need to review all contracts for on-site services to ensure that they support the site security plan. Requirements for background checks need to be clearly spelled out. This needs to include provisions requiring contractors to present background check information to DHS inspectors as required. Contracts should also spell out the security processes and procedures that need to be complied with by contractor personnel while on site.

Facilities need to look at requiring contractors with a daily or long term presence on-site to have specific security policies in place that compliment facility security procedures. If this requirement is put into place, facilities will also need to include provisions for periodic audits of those procedures to ensure that they are not just paper drills.

Sales Policies

Facilities that ship theft/diversion chemicals of interest have to have policies in place to vet customers. This needs to be carried well beyond security procedures into the entire sales process. Sales personnel need training on these requirements, and they need to be specifically spelled out in detail sales procedures. Sales contracts need to include language covering these requirements and sales literature should include mention of these requirements. Depending on the involvement of sales personnel in the vetting process, those personnel may need to be covered under the CFATS background check requirements even if they never set foot on facility grounds.

Order processing procedures also need to reflect these vetting processes. All personnel in the order processing chain need to be trained on these security requirements. Any personnel with independent decision making authority in the vetting process need to be covered by the personnel surety process.

When ever possible, the processing of orders for theft/diversion COI needs to include provisions for verification of vetting. Specific personnel should be required to sign-off on the vetting at designated places in the vetting process. This should include customer approval, new-site shipment approval, and approval of unusual order patterns. Documentation of those approvals should be clearly documented so that downstream personnel can continue their order processing in a timely manner.

Review All Policies

These are just the most obvious policies that must be considered when site security plans are established. Every company policy needs to be reviewed to ensure that provisions of that policy not only do not contradict security policies, but that they actively support security. Security, like safety and quality, must be included in every part of the corporate culture.

No comments:

/* Use this with templates/template-twocol.html */