Saturday, December 13, 2014

Reader’s Questions – CFATS Internal Audits

Earlier this week I had an interesting question from a long time reader; he asked:

I was wondering if you had any news and/or statistics on how many entities with approved SSPs/ASPs have done their annual audit? 

At first I thought that he was talking about the compliance inspection that DHS is supposed to do one year after the site security plan is approved, but he corrected my misconception by reminding me about the requirements of 6 CFR 27.225(e):

“A covered facility must conduct an annual audit of its compliance with its Site Security Plan.”

This is pretty standard language for a large number of Federal programs that require companies to develop a plan on how to do something. It requires that the company goes back and verifies that they are still complying with the plan on a recurring basis. Many companies overlook this type requirement since there is no requirement to submit any data or reports about the audit. Even companies that make an honest effort to follow the spirit and letter of the law seldom do more than a proforma look at their existing plan to ensure that they are still in compliance.

If a facility wants to do a real audit of their SSP, what are the types of things that they need to look at? Lacking any specific guidance from ISCD (and your Chemical Security Inspector would be a good person to talk to about any current guidance), here are some things that you might want to pay particular attention to (WARNING: This is my opinion and has not been verified with ISCD):

Status of planned security measures – If the approval of your SSP included any planned security measures you need to ensure that the agreed upon plan for their implementation has been followed. You are certainly required to report deficiencies in that implementation plan to ISCD.

CVI certification – Fortunately the CVI certificates that were obtained at the beginning of the CFATS process are all still good. But, if any new people were added to the program administration (people with significant responsibilities under the SSP) you need to ensure that they have also obtained CVI certification. If they haven’t, geterdone.

Training files – Ensure that your other training files are also up to date. This specifically includes awareness training for all new employees and contractors.

Exercise files – Remember that plans (both security and emergency response) that are not exercised are likely to fail in a real situation. Make sure that you document the exercises and the after-action reviews. If those reviews indicated that changes were required for your SSP, those changes would need to be approved by ISCD.

Cybersecurity – A lot has changed in the cybersecurity world in the last year, particularly in the realm of control systems. This would be a real good time to have a cyber-security consultant come in and take a fresh look at your system. If you’re fortunate enough to have your own cybersecurity experts, this would be a good time to do a CSET review.

Verify your CSAT Team – Go back and verify that the Authorizer, Preparers, Submitter and Reviewers are still the people that you want in those positions. Update as necessary. BTW: It looks very bad if one of the people currently listed in these positions with ISCD no longer works for the company. If you don’t know who all is listed, contact the CFATS Help Desk {Phone (866) 323-2957}.

Review the threat landscape – The facility security officer should have a good relationship with the closest fusion center and local law enforcement. Talk with them about their view of the current threat landscape in your area.

There are other things that should be looked at in the audit; actually everything should be. But, if you hit the above list hard and do a standard read and review of the rest, you will probably be in good shape. 

No comments:

/* Use this with templates/template-twocol.html */